Obfuscate Strings in Java

Question

I'm working on a project and I need specific URL calls to be hidden; I don't want this URL to be visible. Here's an example of how the URL call would look.

public void example(View view) {
    goToUrl("example.com");
}

Answer 1

One possibility is to use the array of integers with some shift operation for the strings which needs to be obfuscated. But as others already mentioned, this is just a mechanism to hide the plain string. With some effort, it can be decoded easily.

Gettign int array code

public static String getIntArrayCode(String string) {
  int[] result = new int[string.length()];
  for (int i = 0; i < string.length(); i) {
    int numericValue = Character.codePointAt(string, i);
    result[i] = numericValue << 3;
  }
  StringBuffer arrayCode = new StringBuffer();
  arrayCode.append("new int[]{");
  for (int i = 0; i < result.length; i) {
    arrayCode.append(result[i]);
    if (i < result.length - 1) {
      arrayCode.append(",");
    }
  }
  arrayCode.append("}");
  return arrayCode.toString();
}

This int array needs to be copied to the code.

To unobfuscate, use the method

public static String getString(int[] data) {
  StringBuffer test = new StringBuffer();
  for (int i = 0; i < data.length; i) {
    int t = data[i] >> 3;
    test.append((char) t);
  }
  return test.toString();
}

Usage :

//"Hello12345&%$";
int []data1 = new int[]{1152,1616,1728,1728,1776,784,800,816,832,848,608,592,576};
System.out.println(getString(data1));

Obfuscating the application (eg : using Proguard ) would help to hide the decode function to some extend.

Answer 2

Taking a look back at this question after almost 2 years, This question has gotten quite a lot of attention, I have found some obfuscators that I ended up using for String obfuscation but every Obfuscation can be broken. This is my List of obfuscators that encrypts Strings I will start of by listing paid obfuscators.

1. Zelix Klass Master

Their official website is https://zelix.com

This is one of the best java obfuscators for either jar or android in my opinion. How ever It's not cheap as expected because of how good the obfuscator is.

A single license can cost you $239 If you are a small developer or $479 if you are a team of developer (Comapany).

You can see the list of features here

2. DexGuard

Their official website is https://www.guardsquare.com/en

DexGuard is an Obfuscator made by the people who are behind Proguard

This is the second best obfuscator in my opinion. The name obfuscation is way better then the name obfuscation on Zelix.

I am not sure about their pricing since I have never used it but I have seen it being used on applications. How ever you can request a pricing here

Free Obfuscators.

You can find free alternative's such as StringCare and Paranoid

They aren't as good as the one's I listed above, It would take at most 5 seconds for someone with basic knowledge of java to crack your program with these two tools.

Answer 3

For obfuscating Strings you can now use a new gradle plugin + library, Please check it here

https://github.com/MichaelRocks/paranoid

Also now there is a new plugin which can obfuscate resources also, please check it below

https://github.com/shwenzhang/AndResGuard

share so more developers can use it and thus more and more developers will contribute to the further development of these plugins, and thus we can collectively improve these plugins.

Answer 4

You really can't. You can obfuscate method names because in the end the original method name never needs to be known. You can just work with the obfuscation. Here you do eventually need to know the real URL. So there would need to be an unobfuscate function. Which means you could trivially get the result from there. Or you know, just track what url outgoing HTTP requests use via a proxy.