Security of string resources

Question

I was wondering what\'s the security of Android\'s resources folders (I\'m especially concerned with strings). I know, I know, it would be ridiculous to store a password in Stri

Answer 1

Easy on a rooted phone. Expect anyone can read your string resources shared preferences, etc. I just hooked up ADB, changed to /data/data/com.tumblr/shared_preferences and read my username and password in the clear.

You can also download and decompile the apk. If you need to keep it secret, encrypt it.

Answer 2

Unfortunately it is pretty easy to get to the resources. Tools like apktool enable to do that. I have raised a similar question here. You may want to take a look.

Answer 3

The primary rule of thumb here is that ANYTHING stored on the device is open for sniffing and cracking.

There is no such thing as local security against those in physical control of the device.

Even if you encrypt it, the keys for decryption have to exist on the device or be easily accessible by the device.

As a side note, this is the number one reason for features such as Remote Wipe.

So, if you plan on storing something sensitive or just plain don't want a slightly interested user to see the data you've stored on the phone, then you're out of luck.

Answer 4

I know that the xml files are scrambled in the apk, but there is a hacker tool for unscrambling them back to plain text. I can't remember the name of it but I found it OK via Google. It works unfortunately!