Hardcoded secret text in android app to use it for authentication or other

Question

I want to store a variable where no one can see the value,

If somebody tries to decompile the APK file:

private final String secretkey = "THEmyKEYISLOVE";

I compiled the application to APK and then decompiled it with http://www.javadecompilers.com

When I checked the code, it is showing the value! Is this a security problem?

I read something about Signed APK files, which includes a public key inside the APK, so only those who have the private key can open it. Does this work to prevent anyone from seeing the value of secretkey?

Any advice?

Answer 1

There is no way to do this. You have to design your app so that it is secure even in the presence of an untrusted client.

Obfuscation can make it slightly harder to actually find the secret value, but it won't stop a knowledgeable attacker for long and it really only gives you a false sense of security. Obfuscation is a red flag that the underlying security model is broken and needs to be redesigned.

Answer 2

The idea behind using an asymmetric encryption is to have a pair of keys: public key known by other parties and a private key know only by you. Do not hard code the keys in the code. Store them either in the private storage or the android keystore the best practice is to store then in a server and get them when needed. There are other ways to store like storing them in an image in the android resources.

You can also use an obfuscator when generating an apk , do this by enabling proguard. This is the action that you missed in the above question.