Let's say I (as an app developer) want to encrypt something with a key that's stored somewhere in my app. Ultimately, I have to load that key into memory and pass it, along with the plain-text data, to some Java class in javax.crypto. Since those classes are provided by the JVM at runtime, if an attacker is able to control the JVM and swap out the implementation of those classes on his own Android device, he'll be able to see both the key and the plain text that my app wants to encrypt. And since Android is open-source, anyone can modify it and build it to run on their own device, and run my app on it. Wouldn't that mean that they can steal my app's key and see my plain-text?
If so, is there any way to protect against that? For example, use a third-party crypto library that's included in my APK? (Although someone could just as easily decompile the APK and swap out those classes too, couldn't they?)
