How secure is opening another activity?

Question

I am making an admin app to control the firebase database for my main account, so imagine a 2 structure app MainActivity and AdminActivity.

So in MainActivity I will have a edittext to input password, if and only if the password matches the hardcoded password then the user can get to the AdminActivity using an intent.

So my question, This app will stay with me only, but in-case it gets into the wrong hands, can someone open the AdminActivity without using the password or with some tool externally? I don't want to implement logging in on Firebase so the database is open.

Answer 1

If someone gets ahold of the APK, it is easily decompiled. Even using obfuscation (Proguard) will not hide hardcoded string constants. The attacker can then just try all the strings he finds in your app until he gets the password correctly.

Assuming that your AdminActivity is declared as exported="false" in the manifest, it would not be possible for an attacker to launch your Activity directly (like from another application). However, if the attacker got ahold of the APK, he could install it on a rooted device and do whatever he wants, or he could connect the device to a PC and use ADB to launch the AdminActivity directly.

There's probably 6 other successful "bypass the password" scenarios that I can't think of right now off the top of my head.

Answer 2

The answer to the question can be Yes and also No

Why Yes Answer: Suppose, while you hardcode the password, you save it somewhere or if anyone tries to look into your computer, then there is a chance of password leakage.

Why No Answer: Because the password is hardcoded, you are the only one who can know the password. There is no way a user can know it.

IMO, for better security, apply a ProGuard to secure your app.