Android Strings Problem
The string resources and objects are vital on any mobile app, and they are used in every layer of an app: from screen texts to server requests params.
Strings also take part in Java-JSON de/serialization which allows holding complex data easily with GSON.
The problem
The Android system doesn't offer a native solution for protecting strings.
Any Android application's data can be extracted from rooted devices by copying with ADB the /data/data/<package_name> folder (Access Private Data on Android) and the string resources are always public.
ProGuard is not enough
ProGuard (from GuardSquare) is a free tool for Android Studio which obfuscates your app (classnames, methods, vars) and optimizes your APK at compilation time by shrinking your code and resources, but it doesn't work with strings.
We can use DexGuard (also from GuardSquare) which encrypts strings, but it's so expensive.
My Solution
A few years ago I started working on StringCare. SC is a combination of tools:
- Groovy plugin for Android Studio (Java, C++, Groovy). It obfuscates string resources at compilation time with Gradle.
- Android library for apps (Java, C++). It de/obfucates strings at run time.
That means the string resources aren't readable inside APK.
Dynamic Application Data
Let's suppose a user profile needs to hold temporary, the typical way for keeping it could be using the SharedPreferences or an SQLite database. I think it's the right way, but any rooted device can extract this data easily with an ADB command.
We can't avoid this data extraction but we can obfuscate data before store it:
The reverse process:
Adding Functionality
Taking advantage of resources obfuscation, we can work with text blocks inside string resources:
The previous code is non-compliant, but after the compilation task, the value of the "hello" string will be a single line.
What's the trick?
The key used for work with the strings only exists on your application so that the data can be copied but never read.
More Information
If you find this software interesting, check out the organization page for more information about installation, usage, compatibility or limitations.
For security reasons, part of the code is not public.
Senior Android Engineer @ The Weather Company | Android Jetpack, Android Development | Crafting High-Quality Mobile Experiences with Innovative Solutions | EMEA | Remote | 🌍
5yI'm using this framework for two years by encrypting Strings then Put them inside NDK library I got a high level of protection from reverse engineering, thanks
Software Engineer
6yNo need any rooted device to read application data. All application apk's can be downloaded from play store with a chrome extension and can be decompiled. It seems your solution saved my life. Thank you