How to safely store password for encrypted file in code?

[NFOBoy]

In looking through all the posts about encrypting/protecting apk from being co-opted, I have figured out the following (all within B4A modules/libraries):

1. Compile code using obfuscation.

2. Use the Google Licensing Library with SetVariableAndValue

3. Use SQLCipher with SQLite database, or use RandomAccessFile encryption methods.

All sound like they at least will slow down the attempts at breaking apart our programs that we want to keep private..

However, what is the best way to store the password that is used for the SQLCipher or RandomAccessFile?

My thought is that with decompilation, it would be relatively easy to find the password if stored as a straight string. If it were stored in a file that had been encrypted... then the password for "that" file has to be stored somewhere...... Are there methods for storing the password in code, such that it is difficult to find/reconstruct?

Ross

 

[JesseW]

...Is there any way of stopping someone getting the .apk file, stripping/decompiling it, then taking it apart to find the passcode and all relevent bit pertaining to the encrytion, the putting it all back together again and having full access to the "protected" database of questions?

To answer your question, yes there is. see this tutorial, and read under the Strings obfuscation header.

 

[Informatix]

To answer your question, yes there is. see this tutorial, and read under the Strings obfuscation header.

I'm sorry to say a big No. Obfuscation does not prevent anyone from stealing or cracking your code. It's just to make your code harder to read. And as I said many times here, there's no protection against someone with a decent skill. And JD-Gui is not the only tool to decode a JAR file.
Many months ago, I posted in the forum a link to an article explaining that companies take into account the unavoidable piracy when they publish for Android. For some companies, the number of cracked copies is far more important than the number of licenses.

 

[JesseW]

I'm sorry to say a big No. Obfuscation does not prevent anyone from stealing or cracking your code. It's just to make your code harder to read. And as I said many times here, there's no protection against someone with a decent skill. And JD-Gui is not the only tool to decode a JAR file.
Many months ago, I posted in the forum a link to an article explaining that companies take into account the unavoidable piracy when they publish for Android. For some companies, the number of cracked copies is far more important than the number of licenses.

I respect your opinion, but cracked and copied software is not an Android phenomenon (I know you know this, just said for emphasis). It's been going on since way before Windows was a twinkle in Bill's eye. It affects every application on every platform. There's just no way around it.

Also, there is no lock, physical or otherwise, that will keep out a skilled, determined thief, thus, locks cannot be engineered to keep them out. Locks of any type are engineered to keep out everyone else... Some would say locks keep honest people honest.

Until Andoid apps are distributed encrypted with a public/private keys like ssh web pages are (which would require a data connection just to open the app), there's no way to keep out everyone. But if keeping out 99.99% is acceptable, then please see the link in my previous post.

Edit: Actually, as I think about it, the public/private key system would not work as an effective encryption system for apps. That applies to data sent from one digital location to another. -sorry

 

[Informatix]

Some would say locks keep honest people honest.

I agree with you, but the scale is very different. A company releasing a game for Windows does not expect 80% of illegal copies.
Removing the protection from a Windows game requires very high skills. The level needed to crack something under Android is much much lower. And I maintain that obfuscation is not something that protect you against piracy. It's just something that slows down the process and avoids a perfect copy of your source code. A lot of guys in the world won't be stopped by that, at all (starting by me).

But if keeping out 99.99% is acceptable, then please see the link in my previous post.

The problem is that we're far from this number currently. Some companies complain that they have only 30% of paid copies.
The usual method to crack something is to pay for the software, copy the APK on your hard disk, ask a refund before 15 minutes are past, then crack the copy you made or prevent it from contacting internet (since some of them runs when there's no connection available). I don't understand why people love to steal others like this, why they have so little respect for the work of others, but it's a reality. And it's not like downloading a MP3 or a movie without knowing exactly if you're allowed to, this method is a deliberated piracy.
In a business plan, it's something that you have to take into account.

 

[ArminKH]

@Informatix
As you said on this thread thats not any way to protect our app or atleast some part of that like passwords
But i think u know this is not easy for all,so let me to know what is the best security solution for store the password for decrypt my encrypted string inside my app at this time
I need this for secure comunicate between android and php(create a key on both side with encrypted password)
I know if we ensure maximum security,again some body can break that but thats better if we try and just try to keep away our Important data
Excuse me 4 my english and thank u for exellent information

 

[Informatix]

@Informatix
As you said on this thread thats not any way to protect our app or atleast some part of that like passwords
But i think u know this is not easy for all,so let me to know what is the best security solution for store the password for decrypt my encrypted string inside my app at this time
I need this for secure comunicate between android and php(create a key on both side with encrypted password)
I know if we ensure maximum security,again some body can break that but thats better if we try and just try to keep away our Important data
Excuse me 4 my english and thank u for exellent information

Until now, I did not find a secure solution to store anything in an app or to protect your code except, as said above, using an external server or a .so library.
Concerning passwords, there are many scenarios involving them. If your password protects an encrypted content then you don't have to store it anywhere. You just use the password provided by the user to decrypt the contents. If your password restricts the use of the app itself, then there's nothing smart to do because you have probably a function somewhere in your code checking that the given password is valid. A hacker will change the main condition of this function to always return true. However, you can store data useful for the application inside the password and so alter the normal behavior of the app if the data decoded from the password are bullshit.