java – How to hide a secret number from decompilers in an Android application?


Now my client application has a very secret number. It lies in the resources, strings.xml , we urgently need to come up with something so that the hackers cannot find anything, or at least suspend their atrocities 🙂 This number consists of 50 digits, is transmitted to the server as a string as an API key. I came up with the following:

Create a static method that returns this number using some simple operations. It will be necessary to make calls to other methods from different libraries, even modify the support libraries, and make large weaves from one library to another. Let these libraries be written in C ++ to complicate things even further.

Or is there a better solution? I've noticed somewhere that apctool can't decompile boolean , something like 0 and 1 turns out there, I don't remember exactly.

In general, what can you think of? And then such manipulations each time a request to the server will be long, and if at the start of the game it is received and stored in a variable, then it seems there are some utilities for viewing the dalvik memory cells of the application.


It is generally accepted that everything that is in the client is revealed and lends itself to forgery.

If your scenario involves requests to the API of some third service, then either put up with the disclosure of the API key (after all, it is transmitted in requests in clear text and it can be removed by a sniffer), or, alternatively, proxy requests to the service through your proxies that add API key on the fly.

Scroll to Top