views:

41

answers:

1

Hi,

I need to hide a value in a mobile (Android OS) application. As far as I can see, encrypting the value is of no use as the key to the encryption mechanism must be available to the program and is thus available to an attacker reverse-engineering the code. So, it seems that the only "solution" is to hide the secret value in the application as well as possible, obviously not ideal. Any comments? Am I missing something? If not, what's the best way to hide the value?

Thanks for your ideas! Ewan

+2  A: 

No matter what method you use to hide a value, he (his phone) has to have enough information to decode and un-hide it or it's not usable. There is no reliable way to prevent him from seeing it if you're allowing a device he controls to use it.

Your best bet it to simply abandon the delusion that this can be done, and instead focus on the probability that someone will even want to reverse-engineer your code, and mitigate the adverse affects for when it happens.

You might as well simply include the value in the app, perhaps lightly encoded (e.g. base64, etc) to prevent casual observers from seeing it. If anyone does figure it out, you'll probably never even know (or care).

If the information absolutely must be kept secret, then it absolutely must be kept off the user's phone. Instead set up a service (such as a web service) to interact with the information, but never actually retrieve it.

tylerl