I am doing a POC to secure strings using android NDK. I have kept a string "My secret key" in C++ code and then access it in Java using JNI. App is working without any issues. Then I have decompiled the apk file. Now I am still able to see the string "My secret key" in .so files. How to secure strings using NDK approach.
Asked
Active
Viewed 817 times
0
-
1You have to (1) mangle the string (2) do that before building your shared library. Either use the standard preprocessor, or add a custom preprocessing step (3) adapt your code to be aware of the mangleing and demangle when required. However note that it may be possible to catch the demangled string by monitoring the process'es memory image. – StoryTeller - Unslander Monica Oct 25 '16 at 10:10
-
2Don't bother - any rooted Android with a debugger attached can can get at your strings. – Richard Critten Oct 25 '16 at 10:49
-
1@RichardCritten still, there is a difference between strings visible from `strings libXXX.so` command and those that involve **gdb**. – Alex Cohn Oct 25 '16 at 19:07
-
1@AlexCohn it all depends on the value of the resource(s) your are trying to protect and the effort you would have to expend if/when it becomes compromised. The OPs post does not describe the use-case of "My secret key" - so we don't know the value of what he is trying to protect. – Richard Critten Oct 25 '16 at 20:23
-
can I ask you how do you open a .so file ? – isJulian00 Apr 10 '19 at 20:54
-
@gdb what are the 2 type of strings when you said "those that are visible from strings libXXX.so command" and those that involve gdb ? – isJulian00 Apr 10 '19 at 21:25
1 Answers
1
We have an open source working implementation of storing secret key in the NDK. You can find all the details here : https://github.com/klaxit/hidden-secrets-gradle-plugin
This plugin uses the NDK and XOR operator to hide string keys and avoid reverse engineering based on apk decompilation.
Ben-J
- 1,084
- 8
- 24