Android Question hidding strings into the code

Discussion in 'Android Questions' started by ALBRECHT, Aug 2, 2019.

  1. ALBRECHT

    ALBRECHT Active Member Licensed User

    Hello,

    For security, Is it necessary, and if yes what is the best method to do for:

    Hidding particulary parameters or constant or var into the code,
    like :

    Code:
    Public PhaRcs As String = "Mypassword" ' Password
        Public WebSite As String = "https://www.MyWebSite.com" ' Url
        Public ServerUrl As String = WebSite & "/Asp/ListCatJson.asp" ' Url part
        Public DbGlobal As String = "dbglobal.db" ' Db Name
    it may be a ridiculous idea, but I ask the question anyway.

    for example if there are revers assemblers or compilers ...
    or for best practicies

    Thanks,
    Michel
     
  2. emexes

    emexes Well-Known Member Licensed User

    Refer to this thread in general:

    https://www.b4x.com/android/forum/threads/obfuscation.37699/

    and this post in particular:

    https://www.b4x.com/android/forum/threads/obfuscation.37699/#post-222647

    Having said that, if for some reason you don't want to use the standard obfuscation, then you could always do your own form of it by eg:

    - assembling the strings at runtime from fragments of it that are spread about your program
    Dim Public AddrStreet As String = "/Asp/ListC" 'in process globals of one module
    Dim Public AddrSuburb As String = "atJson.asp" 'in process globals of another module
    Public ServerURL As String = WebSite & AddrStreet & AddrSuburb 'close to where you need it
    HttpRequest(WebSite & AddrStreet & AddrSuburb) 'or even better, don't have a public variable with the unencoded string

    - using runtime Chr() to disguise essential characters as numeric values
    Public ServerUrl As String = WebSite & "/Asp/ListC" & Chr(97) & "tJson" & Chr(46) & "asp"

    - encode the string as Base64, that's enough to throw off most people
    Dim su As StringUtils
    Dim bc As ByteConverter
    Dim Secret = "/Asp/ListCatJson.asp"
    Dim Encoded As String = su.EncodeBase64("/Asp/ListCatJson.asp".GetBytes("UTF8"))
    Dim Unencoded As String = bc.StringFromBytes(su.DecodeBase64(Encoded), "UTF8")
    Log(Secret)
    Log(Encoded)
    Log(Unencoded)

    - combine the techniques, eg:
    Dim su As StringUtils
    Dim bc As ByteConverter
    Dim ShortcutIcon As String = "0FzcC9MaXN0Q2F0SnNvbi5hc3A=" 'innocuous variable name, cut off leading 'L" to throw off even more people
    Log(bc.StringFromBytes(su.DecodeBase64(ShortcutIcon), "UTF8")) 'junk
    Log(bc.StringFromBytes(su.DecodeBase64(Chr(64 + 12) & ShortcutIcon), "UTF8")) 'restore the missing "L"
     
    Last edited: Aug 3, 2019
  3. DonManfred

    DonManfred Expert Licensed User

    Please use [CODE]code here...[/CODE] tags when posting code. This also applies to you
     
    Jorge M A likes this.
  4. emexes

    emexes Well-Known Member Licensed User

    Was keeping to the spirit of the question: obsfucation, not revelation :)
     
    mendiburen likes this.
  5. MarkusR

    MarkusR Well-Known Member Licensed User

    take into consideration
    someone can read the memory of the used app.
    someone can replace the library and you call HttpRequest or set UserName & Password there.
    someone can replace the domain name and the app would send a connect to the wrong place.

    usually i would give each user separate account data which he must input once and save this into a crypted settings file.
    same for the url, can be an input setting once.
     
    Jorge M A and emexes like this.
  6. ALBRECHT

    ALBRECHT Active Member Licensed User

    Ok thanks Emexes,

    so i would going to try to mix the 2 methodes for my strings declared into "Sub Process_Globals":
    - assembling the strings by fragments
    - + using the obfuscated process for thoses Process_Globals strings

    Have a good week end
     
  7. ALBRECHT

    ALBRECHT Active Member Licensed User

    MarkusR,

    in that case, where do you store the settings encrypted file , DirInternal ?
     
  8. emexes

    emexes Well-Known Member Licensed User

    Agreed, which makes it impossible to 100% hide values within a program, and is where I was heading with this comment:

    Public ServerURL As String = WebSite & AddrStreet & AddrSuburb 'close to where you need it
    HttpRequest(WebSite & AddrStreet & AddrSuburb) 'or even better, don't have a public variable with the unencoded string


    There is a diminishing-returns law in effect: OP has to weigh up how much effort to put into protecting this information, vs the problems caused by its revelation.

    Spending 1 hour to deter 99.99% of people might be more acceptable that spending 1 week to deter 99.999% of people. And, generally speaking: added complexity = added fragility and support load, in my experience.
     
  9. ALBRECHT

    ALBRECHT Active Member Licensed User

    i agree 100%, as always, everything is a question of balance of returns
     
    emexes likes this.
  10. MarkusR

    MarkusR Well-Known Member Licensed User

    sounds ok, it will be deleted at uninstall.

    i never used it but "two-way SSL Authentication" seems great.
    the server can be sure its a correct client.
    and the client can be sure the server is correct.
    nobody else (without certificate) can make a connection.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice