Yes Houston "we" have got a problem :) Strings are in general very easy to extract from binaries, even from C/ C++ programs via the "strings" *nix command for example. You don't need to decompile anything!
What you could do is manually obfuscate your strings some more: - split the key-string in multiple strings, concatenate only where you need them (or at a totally unrelated place) - store the key-string encoded in your code (e.g Base64), decode it only when you need them (or at a totally unrelated place) Of course not super-strong protection but might protect you from the basic script-kiddie. On Dec 30, 10:20 pm, jacek <jacek.ambroz...@gmail.com> wrote: > Apps that integrate with various web services and APIs, such as > Twitter, > need to use service provisioned API keys and shared secrets > which are Java Strings. > > Such Strings should be retrievable by anyone who decompiles an .apk > (I must try this myself against my own apk) > > In the next step the malicious developer will be able to impersonate > the decompiled app... > > Am I missing something, or do we have a problem? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en