Strings protection in Android application

Question

I want to protect some Strings in my Android application, it contain information that should not be viewed. The best idea I've had so far is to encrypt these strings using an AES algorithm or something and put the password in a Google Cloud Storage file that can only be viewed with authentication (by Firebase Auth), so in theory the application always accesses that file when need. This is a good idea?

Answer 1

I have already solved my question, I have these two methods that work very well:

public static String encrypt(String message, String key) {
        String cipherText = null;

        try {
            Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
            cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key.getBytes(), "AES"));
            byte[] bytes = cipher.doFinal(message.getBytes("UTF-8"));

            cipherText = Base64.encodeToString(bytes, Base64.DEFAULT);
        } catch(Exception ex) {
            ex.printStackTrace();
        }

        return cipherText;
    }

    public static String decrypt(String encoded, String key) {
        String decryptString = null;

        try {
            byte[] bytes = Base64.decode(encoded, Base64.DEFAULT);

            Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key.getBytes(), "AES"));
            decryptString = new String(cipher.doFinal(bytes), "UTF-8");
        } catch(Exception ex) {
            ex.printStackTrace();
        }

        return decryptString;
    }

After the encrypt method encrypts the message in AES, it uses Base64 to make the byte[] into a readable String that can be stored in a strings.xml file or Java Class, and the decrypt method does the inverse. And my application only pick up the key online via Firebase Storage.

Now, if someone tries to reverse engineer my code, the only thing they can see is:

<string name="code_1">nuD559T1j8VSqjidiF3Yag==</string>
    <string name="code_2">+4MTk9TaJJAJEV6D07K++Q==</string>
    <string name="code_3">4GlPuHyAGhd48bjuSvcvQQ==</string>
    <string name="code_4">yQnq3/tEIxJe67bhBuzoHw==</string>
    <string name="code_5">p/sDptvxdi0ynsuybvfI+A==</string>
    <string name="code_6">dE4aV0wG0aINh/dw0wwevQ==</string>
    <string name="code_7">vxNaPmHvnbGsydOYXSOSUA==</string>
    <string name="code_8">fClfcC/Eweh9tA8xz6ktGw==</string>
    <string name="code_9">FxzAZpH+SJt5Lv6VFU/BEQ==</string>
    <string name="code_10">qh3jFGHOGMzt50WOwTG4H4Y2Vbr7TzO433tbB3s6P34=</string>
    <string name="code_11">u7kZjN/bxkMEqDws4nvbnQ==</string>
    <string name="code_12">Ccf2u8FJGJ1lsiR7aX5OSw==</string>
    <string name="code_13">E4XsWDHO28pOhV4ter/f2A==</string>
    <string name="code_14">kgPr+Yz3t4S+Y5zQXjkvJA==</string>
    <string name="code_15">19CpjUzKOw1fL8bZH8xkMg==</string>

Answer 2

It seems to be very good idea as long as you don't need this strings in offline mode. Otherwise use Keystore.

More information: https://developer.android.com/training/articles/keystore.html

Example: https://www.androidauthority.com/use-android-keystore-store-passwords-sensitive-information-623779/

In addition When you don't need this values in offline mode - You can store its in Keystore and store remotely only private key not all strings.

Answer 3

You can refer about NDK : Example:

#include <string.h>
#include <jni.h>

jstring Java_com_riis_sqlndk_MainActivity_invokeNativeFunction(JNIEnv* env,
jobject javaThis) {
  return (*env)->NewStringUTF(env, "pass123");
}

And use in Android:

    public class MainActivity extends Activity {

    static {
        System.loadLibrary("sqlndk");                           // line 11
        }

    private native String invokeNativeFunction();               // line 14


    @Override
    protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
         setContentView(R.layout.activity_main);

         String key = invokeNativeFunction();                 // line 21 

}

}

I hope it can help your problem!