Saving constant values securely

Question

I am working on a Android application related to secure data communication. I am using a few constant values in my application, and am saving them in constant.java class. I

Answer 1

It is fundamentally impossible to securely store secret constants on a device, since hackers can reverse engineer them through static and dynamic analysis. You can only make it a bit more difficult, by obfuscating the values:

• Compute them with some algorithm, instead of storing them literally. Even a trivial algorithm may increase the time needed to extract the constants.
• Distribute the components of the values throughout the code.
• Use native code. It is generally more difficult to reverse engineer, at least if the code and its API are sufficiently large and complex.
• Maybe look into whitebox cryptography, which tries to weave constant keys into the implementations of cryptographic algorithms, in such a way that the constant keys can't be extracted. This is still the realm of research and high-end commercial solutions.

You might get some ideas that you can apply yourself from my presentation and from Scott Alexander-Bown's presentation at Droidcon in London.

You can also use a commercial obfuscator like the extended version of ProGuard, DexGuard, to harden code for you, with techniques like string encryption and class encryption.

How effective the protection is depends on the time and effort that you can invest, on the value of your product, on the time and effort that hackers are willing to spend, on their expertise, etc.

Similar question: Best Practice for storing private API keys in Android

(I am the developer of ProGuard and DexGuard)