Android Question protecting embedded ClientIDOauth using code obfuscation?

[Dave O]

I've added a feature to my app that uses Google Drive to store backups.

In this super-helpful post by Fredo, he mentions that the clientID for OAuth should never be stored in the source code, for security reasons (i.e. someone could get that ID by de-compiling the app).

However, in Erel's tutorial on obfuscation, it says that "Any string written in Process_Globals sub (and only in this sub) will be obfuscated, making it much harder to extract important keys.".

So, I've put the clientID string variable (with the string value assigned to it) in a service's Process_Globals section.

Is this relatively safe, or do I need to do something more exotic to protect the clientID from hacking eyes?

Thanks for any tips!

 

[MarcoRome]

I've added a feature to my app that uses Google Drive to store backups.

In this super-helpful post by Fredo, he mentions that the clientID for OAuth should never be stored in the source code, for security reasons (i.e. someone could get that ID by de-compiling the app).

However, in Erel's tutorial on obfuscation, it says that "Any string written in Process_Globals sub (and only in this sub) will be obfuscated, making it much harder to extract important keys.".

So, I've put the clientID string variable (with the string value assigned to it) in a service's Process_Globals section.

Is this relatively safe, or do I need to do something more exotic to protect the clientID from hacking eyes?

Thanks for any tips!

When you obfuscate your code, if you entered your variable type Dim k_you as string = "Myidhere........"
you will get a similar result in your code.

public static String _process_globals() throws Exception {
_k_you = main.vvv13(new byte[]{(byte) 24, (byte) 17, (byte) -38, (byte) -44, (byte) 17, (byte) 32, (byte) -95, (byte) -25, (byte) 62, (byte) 93, (byte) -107, (byte) -125, (byte) 24, (byte) 63, (byte) -106, (byte) -84, (byte) 22, (byte) 21, (byte) -67, (byte) -31, (byte) 107, (byte) 45, (byte) -52, (byte) -108, (byte) 55, (byte) 101, (byte) -94, (byte) -37, (byte) 77, (byte) 58, (byte) -99, (byte) -126, (byte) 8, (byte) 34, (byte) -82, (byte) -126, (byte) 14, (byte) 27, (byte) -65}, 740332);
......

This will surely prevent inexperienced people from understanding the true value of your variable.
In any case, you are not 100% certain. A programmer with experience in reverse will certainly know the value of your variable.

 

[Dave O]

In any case, you are not 100% certain.

Marco, thanks for this.

I guess what I'm looking for is a way to strike a balance between making the clientID secure and the effort involved.

I'm particularly interested in what devs here have done for their own apps. Do they all store keys like this on their own servers, or is there a simpler method that's "good enough"?

 

[MarcoRome]

Marco, thanks for this.

I guess what I'm looking for is a way to strike a balance between making the clientID secure and the effort involved.

I'm particularly interested in what devs here have done for their own apps. Do they all store keys like this on their own servers, or is there a simpler method that's "good enough"?

Typically entering passwords in an app is not a good thing.
If they are stored on a server, well protected is definitely better.
In any case, as i told you the obfuscation of B4X is good for most users, it is not good for experienced users in reverse.
You could also follow these instructions from @Informatix which certainly allow you to strengthen your protection.
Look

Protect your application against copy and changes

This method uses the F5Steg and PackageUtils libraries from ProBundle. There's a demo available in the Play Store: https://play.google.com/store/apps/details?id=b4a.protecthw.flm The source code is attached to this message and is used as a reference in the following explanations. It will not...

www.b4x.com