Android Question Java vulnerabilities

[nickt]

Hi, I'm new to Java and mainly have a background in optimising performance of large and complex databases so my question may seem elementary.

With Java vs C++, is there a much larger risk of hackers being able to attach to the compiled release version (all B4X platforms) to read runtime values from variables (created post launch) or calling functions at the app/VM interface? I have had a look on Google and Bing but articles seem to be old and contradictory in some cases.

If so, is there a technique to mitigate this? I appreciate not storing values in the app helps but is that enough?

Thanks

 

[Erel]

all B4X platforms

B4A and B4J. Not B4i nor B4R.

It is not simple at all to read variables values or to call methods. Generally speaking and it doesn't matter which language you are using, you shouldn't put sensitive data (keys) inside the app.

 

[hatzisn]

B4A and B4J. Not B4i nor B4R.

It is not simple at all to read variables values or to call methods. Generally speaking and it doesn't matter which language you are using, you shouldn't put sensitive data (keys) inside the app.

Let's say you create an app that communicates with a back end with encrypted data. What options do you have other than keep the key in the app?

 

[jahswant]

Let's say you create an app that communicates with a back end with encrypted data. What options do you have other than keep the key in the app?

Keep the key on the server and download it when needed.

 

[hatzisn]

Keep the key on the server and download it when needed.

Yes, that crossed my mind but then I thought what's the point. If a malitious user can see my code then he will be able to run the program in debug mode and get the key. What I thought to do was use the obfuscation of B4A/J for strings, variables and procedures for the key and torture him a bit if he just reads code, before I surrender ???.