Hiding Secret/Api key in Android
It is very easy to extract secret keys or Api key from a Apk using reverse engineering. There are many ways to make it hard to extract for hacker.
- Encode strings using Base64.
- Hide string using MD-5 or SHA-1.
- Save strings on cloud and fetch on first launch.
- Using NDK (Safest)
1). Encode string using Base64.
pros: Very easy to use
cons: Strings can be extracted from apk easily if he knows that strings are Base64 encoded
2). Hide string using MD-5 or SHA-1.
pros: Hard to extract string compared to Base64
cons: As to un-hash/decrypt string we have to use a key which will be hardcoded somewhere inside the code. If hacker got this key then he can un-hash/decrypt all hidden strings.
3). Save strings on cloud and fetch on first launch.
pros: compare to above two methods this is safest. because secret/Api key is not available inside apk.
cons: If hacker got to know the REST API to fetch secret/api key, he have access to all secret information, because API also will be hardcoded somewhere inside the apk.
4). Using NDK
NDK one is the most difficult way for hacker to extract secret information
pros: all secret information will be stored in C++ file and backed inside .so file. | its very hard to extract string from .so file because c file is converted to machine code.
cons: If hacker any how(using hell of main) is able to extract the information from .so file the secret text will be in hex value which is not readable.
NOTE : steps to hide secret data using NDK will be available shortly.
Do clap if you like else give a comment to improve.
