Android Question Obfuscation

[Rusty]

Erel,
We have been using the Release Obfuscated to compile our .apk's.
One of my staff, decompiled the .apk and was readily able to read ALL of the code including "secret" keys.
I am very concerned about this.
In our code (for example) we store encryption keys:
Code:

Sub Class_GlobalsDim Keys AsList
Keys.Initialize
Keys.add(ArrayAsByte(...,...,...))
Keys.add(ArrayAsByte(...,...,...))
Keys.add(ArrayAsByte(...,...,...))End Sub

We compile it obfuscated...
We use Dex2Jar on classes.dex; This creates a jar file; Then we use JD-gui to de-compile the jar; the results are:
Code:

publicString _class_globals()
throws Exception
{
this._vv1 = new List();
this._vv1.Initialize();
this._vv1.Add(new byte[] { ...,...,...});
this._vv1.Add(new byte[] { ...,...,... });
this._vv1.Add(new byte[] { ...,...,... });return"";
}

Is there anything we can do to hide this further?
Alternatively, is there a process to "share" encryption keys from tablet to PC server that might be more secure?
Thanks,
Rusty

 

[eps]

Have you read this? http://www.b4x.com/android/forum/threads/android-code-obfuscation.13773/

 

[Rusty]

yes, did i miss something? I don't have an _ in the variables, they are global (to a class, is that a problem?)

 

[eps]

What are you expecting the obfuscator to do that it's not doing? I think it's mostly obvious, but if you are placing 'secret' keys in your code I don't think that this is a good practice. I also don't think that the obfuscator would touch those, it will only touch the variable names.

This bit?

Strings obfuscation
Any string written in Process_Globals sub (and only in this sub) will be obfuscated, making it much harder to extract important keys. The strings are defuscated at runtime.

 

[Rusty]

I guess I was expecting a lower level (like binary/machine code on a pc). It appears the android "compiles/interprets" source code when apps are running. If this is so, then anyone can hack the source code of an app...correct?
I assume if I move the variables to the PROCESS_GLOBAL instead of CLASS_GLOBAL, the obfuscation will improve (from you last statement above).

Given, obfuscation won't accomplish the security of keys embedded within, what is the proper way to handle encryption keys?
e.g. Tablet encrypts data, sends to server (on pc), the server needs to be able to decrypt ... how can we share keys given the code; calculations; encryhption keys are viewable by anyone with those programs?
Thanks,
Rusty

 

[Erel]

I assume if I move the variables to the PROCESS_GLOBAL instead of CLASS_GLOBAL, the obfuscation will improve (from you last statement above).

Only if the keys are strings. Otherwise they will remain as is (only the variable will be renamed).

 

[Rusty]

Thanks Erel. I think I'm getting it...I hope
instead of using byte arrays, if I use strings (string arrays ok?) to store the keys, AND they are in PROCESS_GLOBALS, they'll be obfuscated, right?
Rusty

 

[Erel]

Yes. Any string that appears in Process_Globals sub will be obfuscated.

Sub Process_Globals
 Dim Keys() As String = Array As String("These", "strings", "will", "be", "obfuscated")
 Dim k As String = "This will also be obfuscated"
 Dim b() As Byte = "this too".GetBytes("UTF8")

 

[Rusty]

Thank you for putting up with me. It took me a bit to understand.
I'll give this a try and report back if there are still issues.
Thanks Erel.
Rusty

 

[Rusty]

One last question.
If I follow your above guidelines; move my CLASS_GLOBAL variables to the PROCESS_GLOBAL in the MAIN of my class definition as strings (instead of byte array), will the variables be obfuscated in the resultant class .jar?
Rusty

 

[Erel]

will the variables be obfuscated in the resultant class .jar?

Sorry but I'm not sure that I understand the question.

 

[Rusty]

Sorry,
What I meant was: When I create a library (class), there is a MAIN required for it to be compiled. The Class, of course, is a "module" attached to the project. If I move the keys list or table to the MAIN module in the class project, then "compile to library", will the resultant .jar file (library) have the table obfuscated or will I need to move the key data into each application that uses the library (.jar file)?
Rusty

 

[Erel]

The string in the main activity will not be included in the compiled library. You cannot obfuscate strings in libraries. You will need to put the string in one of the project modules.

 

[Rusty]

Ok. Thanks. I really appreciate your help on this.
Rusty