Android Question Securing info in an apk

[iCAB]

Hi All

This topic started as a result of the question asked in the link below

https://www.b4x.com/android/forum/t...-cloud-messaging-fcm.67716/page-9#post-454922

The question was related to the fact that I am attempting to send Firebase notification messages directly between mobile devices without having a server in between. The security of the approach was questioned based on the fact that someone can decompile the code and get the Server API key.

My last post was:

Here is what I am trying to understand based on the conversation above and based on the fact that someone can decompile the apk in an attempt to hack the system.

1. In my solution, the server API key is not part of the apk at all
2. The key is exchanged between the server and the client in encrypted format and using a secure http handshake (session keys, message signing etc.. )
3. The descrypted key is stored in a Global variable and not in a file


1. Is it possible for someone to get access to the key based on the above? I am not talking about decrypting the key at this point. Just accessing the variable holding the key in memory

2. assuming that someone is attempting to hack the system, wouldn't it be easier to figure out a way to send messages to the small B4J server than figuring out the encryption used to retrieve the key

Please comment

 

[Erel]

A "serious hacker" can decompile the code and run it with a debugger attached. The key will be exposed.

The advantage of adding a middleware server is that you have more control and you can react to harmful attempts. You can for example send the user name and password to the B4J server. If someone tries to abuse your server then disable the specific user account.

With the API_KEY it is all or nothing. If someone has access to your key then the only thing that you can do is to switch to a different key which will cause all existing app installations to fail.

You can also create a secure solution with FirebaseAuth and [server] FirebaseServer - backend verification for signed in users

 

[KMatle]

Another question: Getting the API_KEY from a Server is a good solution. What about the JSON which has to be downloaded from the firebase console. Are any Contents included in the APK?

 

[DonManfred]

look at the apk. rename to .zip and have a look. The json is part of the content

 

[iCAB]

A "serious hacker" can decompile the code and run it with a debugger attached. The key will be exposed

Thanks for the update, however this means that no Android app can be really secured

Assuming I do the above and I use a middleware server to solve this issue. What about other sensitive information such as, Google API keys (for direction, places etc.. )?
Eventually the key will have to be used as is when issuing the API call.

What is the proper approach to secure sensitive information?

 

[Erel]

Anything that is stored in the APK can be hacked. Make sure to use the obfuscator to make it more difficult.

Anyone can easily and legitimately get a firebase key or one of the others Google API keys.

 

[Widget]

Anything that is stored in the APK can be hacked. Make sure to use the obfuscator to make it more difficult.

Anyone can easily and legitimately get a firebase key or one of the others Google API keys.

It sounds to me like people are trying to create a pick proof lock for a screen door.

The entire APK can be compromised. Even if you can authenticate the user with a server, what prevents a hacker from intercepting the key returned from the server or bypassing security checks in the code? Sure the obfuscator will slow him down, but it is still executing source code. I will have to find time to investigate "StarForce Android Protection" to see if they have solved the copy protection problem. (It's expensive. Around $350/yr + $0.25/copy sold so it is only appropriate for expensive apps)

I haven't used B4i yet, but I assume it compiles the app to an executable (binary), right? If so, it will make the app much harder (but not impossible) to crack.

 

[KMatle]

The json is part of the content

I did (Release) but I can't find it:

Is it coded inside classes.dex?

 

[DonManfred]

I did (Release) but I can't find it

you are right

Is it coded inside classes.dex?

This or inside the resources.arsc

 

[KMatle]

@DonManfred : Would you please take a look at this thread (post #3): http://stackoverflow.com/questions/31597953/what-does-google-services-json-really-do

As I've understood the google-services.json isn't really needed (they talk about a "quickstart"):

So this plugin and JSON file are not essential to running or publishing your app, it is just a quickstart helper to generate some basic android-resource files for easier integration of specific Google API features.

This plugin and JSON-file do NOT directly influence the inner workings of said Google-features for your app! If you already have followed older tutorials on developer.android.com on how to integrate e.g. GCM or Google Analytics, then you don't even need to integrate either the gradle-plugin google-services or the google-services.json file!

So it sounds like there is a chance to remove the JSON and handle API_KEYs completely on your own?