security - How to secure string in Android Application?

Question

How to secure string in Android Application ?

Options:

1. ProGuard: It does not secure string? Does proguard work to obfuscate static string constants?

2. Encrypt String: for Encryption I need to store encryption key (string) some where and again it's same issue, how to secure encryption key.

3. Fetch string from web service: But this solution will not work for me, as app don't have internet requirement/access that's requirement/business decision.

4. NDK: write c file which contain string and return using JNI but I found Hex-Ray decompile to decompile *.so file https://www.hex-rays.com/index.shtml

================================================

Function in C

jstring Java_com_abc_xyz_getString(JNIEnv* env, jobject javaThis) {
  return (*env)->NewStringUTF(env, "Hello String");
}

====================================

Please suggest a best option to secure string in Android SDK/NDK.

Answer 1

Key protection and distribution is the big hole in cryptography. It has to be somewhere available at the time you need to decrypt the data.

So, if your string is entered by someone using the device, you could use the devices serial#/IMEI#/etc as the key. Somewhat secure, but not that difficult to reverse engineer. That would allow for the data to be decrypted locally without the user putting in a password, but would not allow the data to be distributed encrypted.

If you are trying to distribute encrypted data with the application, as you have discovered, the keys must be someone local to the device. Without a communications link to the outside world, the only choices are in the device or with the applications user.

Perhaps if you could give us the intended workflow, you could get more useful suggestions?