Avoid reverse engineering

Question

Avoid reverse engineering

strike76 opened this issue 6 years ago · 8 comments

Hi, i use this library to encrypt string resource. With smali after decompiling app it's very easy to see original value. How can avoid reverse engineering ?

Answer 1 · 2018-07-11T11:12:55.000Z

Hi @strike76 😊
Are you talking about hardcoded strings on the code?

Answer 2 · 2018-07-11T12:19:02.000Z

Hi @efraespada i mean a string into strings.xml file. For example :

<string name="test" hidden="true" translatable="false">www.example.com</string>

Answer 3 · 2018-07-11T13:02:13.000Z

@strike76 then, you say:
1º APK generated using StringCare
2º APK decompiled
3º strings.xml file shows original values when they should be encrypted:

<string name="test" hidden="true" translatable="false">www.example.com</string>

Am I right?

Answer 4 · 2018-07-11T13:08:49.000Z

@efraespada Of course no !
But

decompile app
create smali (do you know ?)
add LOG instruction to smali code
recreate APK
install APK
launch log app from playstore (For example LogCat)
decrypt strings are visible

Answer 5 · 2018-07-11T19:29:28.000Z

Okay, finally I understood you.

StringCare doesn't take care about what happens from the decrypted string output.

With smali after decompiling app it's very easy to see original value

Of course, it is effortless without ProGuard obfuscation or obfuscating and knowing where SC.getString(...) is called on the code 😅

Proguard can obfuscate the Java classes, but not strings (StringCare purpose).

How can avoid reverse engineering?

No idea, If I knew how to do it this project wouldn't exist.

Answer 6 · 2018-07-12T08:08:21.000Z

ok thanks my friend! @efraespada

Answer 7 · 2018-07-12T09:48:06.000Z

Thanks to you for using the plugin/lib. Hope Proguard + StringCare could make tough the code inspection.

Alternatively, you can try DexGuard (ProGuard creators), but it's so expensive. 😕

Answer 8 · 2018-07-12T09:51:13.000Z

Dexguard it's very expensive! Thanks