Android Question hidding strings into the code

ALBRECHT · Aug 2, 2019

Hello,

For security, Is it necessary, and if yes what is the best method to do for:

Hidding particulary parameters or constant or var into the code,
like :

B4X:

Public PhaRcs As String = "Mypassword" ' Password
    Public WebSite As String = "https://www.MyWebSite.com" ' Url
    Public ServerUrl As String = WebSite & "/Asp/ListCatJson.asp" ' Url part
    Public DbGlobal As String = "dbglobal.db" ' Db Name

it may be a ridiculous idea, but I ask the question anyway.

for example if there are revers assemblers or compilers ...
or for best practicies

Thanks,
Michel

emexes · Aug 3, 2019

Refer to this thread in general:

https://www.b4x.com/android/forum/threads/obfuscation.37699/

and this post in particular:

https://www.b4x.com/android/forum/threads/obfuscation.37699/#post-222647

Having said that, if for some reason you don't want to use the standard obfuscation, then you could always do your own form of it by eg:

- assembling the strings at runtime from fragments of it that are spread about your program
Dim Public AddrStreet As String = "/Asp/ListC" 'in process globals of one module
Dim Public AddrSuburb As String = "atJson.asp" 'in process globals of another module
Public ServerURL As String = WebSite & AddrStreet & AddrSuburb 'close to where you need it
HttpRequest(WebSite & AddrStreet & AddrSuburb) 'or even better, don't have a public variable with the unencoded string

- using runtime Chr() to disguise essential characters as numeric values
Public ServerUrl As String = WebSite & "/Asp/ListC" & Chr(97) & "tJson" & Chr(46) & "asp"

- encode the string as Base64, that's enough to throw off most people
Dim su As StringUtils
Dim bc As ByteConverter
Dim Secret = "/Asp/ListCatJson.asp"
Dim Encoded As String = su.EncodeBase64("/Asp/ListCatJson.asp".GetBytes("UTF8"))
Dim Unencoded As String = bc.StringFromBytes(su.DecodeBase64(Encoded), "UTF8")
Log(Secret)
Log(Encoded)
Log(Unencoded)

- combine the techniques, eg:
Dim su As StringUtils
Dim bc As ByteConverter
Dim ShortcutIcon As String = "0FzcC9MaXN0Q2F0SnNvbi5hc3A=" 'innocuous variable name, cut off leading 'L" to throw off even more people
Log(bc.StringFromBytes(su.DecodeBase64(ShortcutIcon), "UTF8")) 'junk
Log(bc.StringFromBytes(su.DecodeBase64(Chr(64 + 12) & ShortcutIcon), "UTF8")) 'restore the missing "L"

DonManfred · Aug 3, 2019

emexes said:
Log(Secret)

Please use [CODE]code here...[/CODE] tags when posting code. This also applies to you

emexes · Aug 3, 2019

DonManfred said:
Please use [CODE]code here...[/CODE] tags when posting code. This also applies to you

Was keeping to the spirit of the question: obsfucation, not revelation

MarkusR · Aug 3, 2019

take into consideration
someone can read the memory of the used app.
someone can replace the library and you call HttpRequest or set UserName & Password there.
someone can replace the domain name and the app would send a connect to the wrong place.

usually i would give each user separate account data which he must input once and save this into a crypted settings file.
same for the url, can be an input setting once.

ALBRECHT · Aug 3, 2019

Ok thanks Emexes,

so i would going to try to mix the 2 methodes for my strings declared into "Sub Process_Globals":
- assembling the strings by fragments
- + using the obfuscated process for thoses Process_Globals strings

Have a good week end

ALBRECHT · Aug 3, 2019

MarkusR,

in that case, where do you store the settings encrypted file , DirInternal ?

emexes · Aug 3, 2019

MarkusR said:
take into consideration: someone can read the memory of the used app.

Agreed, which makes it impossible to 100% hide values within a program, and is where I was heading with this comment:

Public ServerURL As String = WebSite & AddrStreet & AddrSuburb 'close to where you need it
HttpRequest(WebSite & AddrStreet & AddrSuburb) 'or even better, don't have a public variable with the unencoded string

There is a diminishing-returns law in effect: OP has to weigh up how much effort to put into protecting this information, vs the problems caused by its revelation.

Spending 1 hour to deter 99.99% of people might be more acceptable that spending 1 week to deter 99.999% of people. And, generally speaking: added complexity = added fragility and support load, in my experience.

ALBRECHT · Aug 3, 2019

i agree 100%, as always, everything is a question of balance of returns

MarkusR · Aug 3, 2019

ALBRECHT said:
MarkusR,
in that case, where do you store the settings encrypted file , DirInternal ?

sounds ok, it will be deleted at uninstall.

i never used it but "two-way SSL Authentication" seems great.
the server can be sure its a correct client.
and the client can be sure the server is correct.
nobody else (without certificate) can make a connection.

Android Question hidding strings into the code

ALBRECHT

Active Member

emexes

Expert

DonManfred

Expert

emexes

Expert

MarkusR

Well-Known Member

ALBRECHT

Active Member

ALBRECHT

Active Member

emexes

Expert

ALBRECHT

Active Member

MarkusR

Well-Known Member

Similar Threads