Android Question Obfuscation

Rusty

Well-Known Member
Licensed User
Longtime User
Erel,
We have been using the Release Obfuscated to compile our .apk's.
One of my staff, decompiled the .apk and was readily able to read ALL of the code including "secret" keys.
I am very concerned about this.
In our code (for example) we store encryption keys:
Code:
B4X:
Sub Class_GlobalsDim Keys AsList
Keys.Initialize
Keys.add(ArrayAsByte(...,...,...))
Keys.add(ArrayAsByte(...,...,...))
Keys.add(ArrayAsByte(...,...,...))End Sub

We compile it obfuscated...
We use Dex2Jar on classes.dex; This creates a jar file; Then we use JD-gui to de-compile the jar; the results are:
Code:
B4X:
publicString _class_globals()
throws Exception
{
this._vv1 = new List();
this._vv1.Initialize();
this._vv1.Add(new byte[] { ...,...,...});
this._vv1.Add(new byte[] { ...,...,... });
this._vv1.Add(new byte[] { ...,...,... });return"";
}
Is there anything we can do to hide this further?
Alternatively, is there a process to "share" encryption keys from tablet to PC server that might be more secure?
Thanks,
Rusty
 

Rusty

Well-Known Member
Licensed User
Longtime User
yes, did i miss something? I don't have an _ in the variables, they are global (to a class, is that a problem?)
 
Upvote 0

eps

Expert
Licensed User
Longtime User
What are you expecting the obfuscator to do that it's not doing? I think it's mostly obvious, but if you are placing 'secret' keys in your code I don't think that this is a good practice. I also don't think that the obfuscator would touch those, it will only touch the variable names.

This bit?

Strings obfuscation
Any string written in Process_Globals sub (and only in this sub) will be obfuscated, making it much harder to extract important keys. The strings are defuscated at runtime.
 
Upvote 0

Rusty

Well-Known Member
Licensed User
Longtime User
I guess I was expecting a lower level (like binary/machine code on a pc). It appears the android "compiles/interprets" source code when apps are running. If this is so, then anyone can hack the source code of an app...correct?
I assume if I move the variables to the PROCESS_GLOBAL instead of CLASS_GLOBAL, the obfuscation will improve (from you last statement above).

Given, obfuscation won't accomplish the security of keys embedded within, what is the proper way to handle encryption keys?
e.g. Tablet encrypts data, sends to server (on pc), the server needs to be able to decrypt ... how can we share keys given the code; calculations; encryhption keys are viewable by anyone with those programs?
Thanks,
Rusty
 
Upvote 0

Rusty

Well-Known Member
Licensed User
Longtime User
Thanks Erel. I think I'm getting it...I hope :)
instead of using byte arrays, if I use strings (string arrays ok?) to store the keys, AND they are in PROCESS_GLOBALS, they'll be obfuscated, right?
Rusty
 
Upvote 0

Rusty

Well-Known Member
Licensed User
Longtime User
Thank you for putting up with me. It took me a bit to understand.
I'll give this a try and report back if there are still issues.
Thanks Erel.
Rusty
 
Upvote 0

Rusty

Well-Known Member
Licensed User
Longtime User
One last question.
If I follow your above guidelines; move my CLASS_GLOBAL variables to the PROCESS_GLOBAL in the MAIN of my class definition as strings (instead of byte array), will the variables be obfuscated in the resultant class .jar?
Rusty
 
Upvote 0

Rusty

Well-Known Member
Licensed User
Longtime User
Sorry,
What I meant was: When I create a library (class), there is a MAIN required for it to be compiled. The Class, of course, is a "module" attached to the project. If I move the keys list or table to the MAIN module in the class project, then "compile to library", will the resultant .jar file (library) have the table obfuscated or will I need to move the key data into each application that uses the library (.jar file)?
Rusty
 
Upvote 0
Top