i working sensitive data in app. obfuscation definition not added security, delay cracker finite time. possible proguard may called added security?
what sensitive network calls. hard sniff password because generate password on both sides , check it's validity timestamps. problem app may reverse engineered , generate algorithm may exploited.
it not possible keep algorithm locally in file because rooted phone cracker may able retrieve it. not work download algorithm server because same problem applies here, if cracker reverse engineer app he/she able see algorithm taken from.
any input on how proceed appreciated!
edit
what trying protect generate algorithm cracker may not send lot of data our server.
generally, can make crackers life harder. harder make it, fewer remain. if financial incentive limited.
your code obfuscation options are:
- use proguard, job, not perfect of course,
- use dexguard, can make reverse engineering harder, encrypting strings, or detecting code tampering
- write critical parts in c
regardless of code obfuscation, make network protocol hard mess around with: encrypt , sign messages, make sure messages can not repeated (by using time or sequence), , authenticate client
don't save on disk clear texts sensitive.
Comments
Post a Comment