How to safely store password for encrypted file in code?

[NFOBoy]

In looking through all the posts about encrypting/protecting apk from being co-opted, I have figured out the following (all within B4A modules/libraries):

1. Compile code using obfuscation.

2. Use the Google Licensing Library with SetVariableAndValue

3. Use SQLCipher with SQLite database, or use RandomAccessFile encryption methods.

All sound like they at least will slow down the attempts at breaking apart our programs that we want to keep private..

However, what is the best way to store the password that is used for the SQLCipher or RandomAccessFile?

My thought is that with decompilation, it would be relatively easy to find the password if stored as a straight string. If it were stored in a file that had been encrypted... then the password for "that" file has to be stored somewhere...... Are there methods for storing the password in code, such that it is difficult to find/reconstruct?

Ross

 

[derez]

I have a file with many lines of random strings, and in the application code I take one line and start at a certain place at the string. So the code has only a simple pointer by two numbers, not the password string itself.
Still - if you can have the full source - you can track it to the actual password.

 

[Informatix]

In looking through all the posts about encrypting/protecting apk from being co-opted, I have figured out the following (all within B4A modules/libraries):

1. Compile code using obfuscation.

2. Use the Google Licensing Library with SetVariableAndValue

3. Use SQLCipher with SQLite database, or use RandomAccessFile encryption methods.

All sound like they at least will slow down the attempts at breaking apart our programs that we want to keep private..

However, what is the best way to store the password that is used for the SQLCipher or RandomAccessFile?

My thought is that with decompilation, it would be relatively easy to find the password if stored as a straight string. If it were stored in a file that had been encrypted... then the password for "that" file has to be stored somewhere...... Are there methods for storing the password in code, such that it is difficult to find/reconstruct?

Ross

Just to let you know: I'm not a hacker and never tried to be, however I can decompile everything on my phone in a few seconds (let's say 15 minutes when there are advanced protections). I can even deobfuscate the result (that does not mean I can retrieve exactly the original source code, of course, but the code becomes readable). I won't explain how I do and what tools I use because I do not want to support this. I wanted to say that a skilled programmer (like the ones providing cracked apps) can easily defeat most of Android app protections. I'm still looking for something robust not requiring an external server.

 

[NFOBoy]

So, not even worth the effort to try and protect encrypted files included in your project? (as my programs do not connect to any external server, just wanted to protect those included files a little bit.)

Just to let you know: I'm not a hacker and never tried to be, however I can decompile everything on my phone in a few seconds (let's say 15 minutes when there are advanced protections). I can even deobfuscate the result (that does not mean I can retrieve exactly the original source code, of course, but the code becomes readable). I won't explain how I do and what tools I use because I do not want to support this. I wanted to say that a skilled programmer (like the ones providing cracked apps) can easily defeat most of Android app protections. I'm still looking for something robust not requiring an external server.

 

[Informatix]

So, not even worth the effort to try and protect encrypted files included in your project? (as my programs do not connect to any external server, just wanted to protect those included files a little bit.)

If you don't connect to an external server, that means you store the password in one of the application files. Whatever method you use to store it (e.g. hidden inside a picture), you coded a function in your app to read it and uncrypt your file with it. A skilled programmer will find this very easily. So, encrypted or not, that doesn't matter in that case. You will just prevent a few wanna-be-crackers from being too curious.
It's a very different matter if the password is not stored in the app but asked to the user each time.

 

[mrjaw]

OK, I am reading and I worry. For example, my app connects to server using webservices for communication if I can decompile so easy the code I can create other service that send the same information and to do a false client?

 

[Informatix]

OK, I am reading and I worry. For example, my app connects to server using webservices for communication if I can decompile so easy the code I can create other service that send the same information and to do a false client?

Do you really want to be scared ? Send me your apk and I will send you back the java source code (by PM).

French speakers can read an interesting article about piracy problems.
I translate one sentence:
"Sports Interactive, creator of the popular Football Manager, estimated that the piracy rate was 90% for their game."

Another link about piracy in french

 

[susu]

How about dynamically linked library (.so file). I see many apps use this. As far as I know, you can't decompile to read source code.

 

[Informatix]

How about dynamically linked library (.so file). I see many apps use this. As far as I know, you can't decompile to read source code.

You cannot decompile them, but you can disassemble them. Less people will get access to your little secrets, but that does not mean noone. And people loving to crack our hard work are not scared at all by assembly code.

 

[Informatix]

I was tempted to post here a link to a blog where a guy explain in details how to hack games protected by .so libraries, but I'm reluctant to make some advertisement for this kind of knowledge. If someone wants to know, use Google. I learned in this article that the disassembler is provided by Google itself in its NDK package.

 

[thedesolatesoul]

No need to be scared. Piracy is about other factors not about how easy or hard it is to decompile.
If you manage to create a connection with your users and they want to support you, They will buy it. Everyone else will probably not.

Sent from my GT-I9000 using Tapatalk 2

 

[Informatix]

No need to be scared. Piracy is about other factors not about how easy or hard it is to decompile.
If you manage to create a connection with your users and they want to support you, They will buy it. Everyone else will probably not.

That's not as trivial as you may think. When a company needs a lot of sales on the Google market to pay its employees and continue to exist, piracy may quickly become the problem number one. That was explained in the (french) links I provided. On security forums, it is said many times that Android offers currently no real protection against piracy, contrary to iOS, and the level of code protection or data protection is far below what we can find on Windows games for example. That means the companies must use or invent new ways of earning money on this platform. One of the way I'm going to use personnally is to provide a plug-in to unlock the free version (as Winamp does), so the code of the full version is not in the public free version. Only registered users will be able to distribute a full cracked version. I can do the same thing with data. Only registered users are entitled to download data from a specific area on my server. Others can't download anything.

 

[thedesolatesoul]

That's not as trivial as you may think. When a company needs a lot of sales on the Google market to pay its employees and continue to exist, piracy may quickly become the problem number one.

I know its not an ideal situation, but even if companies like Microsoft, Adobe etc have been unable to prevent this, how would indie devs like us combat it without Googles support.

On security forums, it is said many times that Android offers currently no real protection against piracy, contrary to iOS, and the level of code protection or data protection is far below what we can find on Windows games for example.

This is true. Google were going to introduce device-based encryption of apps but they turned it off due to problems. That was one step in the right direction, and two steps back.

That means the companies must use or invent new ways of earning money on this platform. One of the way I'm going to use personnally is to provide a plug-in to unlock the free version (as Winamp does), so the code of the full version is not in the public free version. Only registered users will be able to distribute a full cracked version. I can do the same thing with data. Only registered users are entitled to download data from a specific area on my server. Others can't download anything.

This is not as easy as it sounds. Anyone can download your registered plug-in and copy the apk and refund it. So now they have the full version, unlinked to the market. How hard was that? Short of having a webserver, a login mechanism, and internet connectivity in your app there is very less you can do. And even this may not be a foolproof solution, since I dont know if there is a way to link a buyers purchase to an ID on your webserver?

Eitherway it is a question of how much time, effort and money are you willing to invest in anti-piracy measures and whether it is worth making another app in that time that covers up your losses.

 

[Erel]

So now they have the full version, unlinked to the market. How hard was that?

Google licensing service should handle this case.

 

[thedesolatesoul]

Google licensing service should handle this case.

There are tools that can remove this with one click.
While I think its one step more for the cracker, and the more work he needs to do the better, it will not save us when he distributes it online.

 

[Informatix]

Eitherway it is a question of how much time, effort and money are you willing to invest in anti-piracy measures and whether it is worth making another app in that time that covers up your losses.

Yes, this is a good summary of the problem.

 

[ajk]

I use method:

password to asci code

asci code to string

melt string (eg replace every third sign with sign =sign+1) or sth. like this

string to asci

in this form store passwords in apk.

It is easy to decode and very easy to crack but not visible.

 

[maleche]

Thank you for sharing your concerns and input. This is very interesting and should be a concern for those of us spending many hours developing code and would like to protect it.
I understand that it is virtually impossible to fully hide or encrypt code from prying eyes/hackers, but we should continue to share ideas.

I see many purchases for my app on Google Play, immediately followed by a refund. $4.99 is not much for a good app, however, my fear is that the hackers will distribute the app for free.

Keep up the good work!

Keep this discussion going!
Thank you all!

 

[madmadhouse]

Just a quick question, some of the question i shall be using in my app are my partners which he writes for pub quiz leagues and he gets paid for, I have been reading about how to protect the database etc and encyption and so on.. but my question is this..

Is there any way of stopping someone getting the .apk file, stripping/decompiling it, then taking it apart to find the passcode and all relevent bit pertaining to the encrytion, the putting it all back together again and having full access to the "protected" database of questions?

 

[Erel]

For some reason you appear as an unlicensed user in the forum. Please contact [email protected] in order to fix it.