Android Encrypt JSON String and Credentials

Hey, I'm currently looking into potential solutions for obfuscating or encrypting any JSON data and Credentials that would be required to go with the JSON connection string.

For example I have
String strExtraInfo = "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&key=" + VT_DatabaseHelper.strJSONKey;
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);

JSONObject jsonUpdates;

jsonUpdates = VT_JSON.getJSONfromURL("http://*****.co.uk/json/json_data.ashx?" + strTable + "data=1" + strExtraInfo);

Open in new window


When then has the credentials added and then sent,  HTTPS is one solution, but our main concern is that the device could be hooked up to an external debugging program and the data extracted that way, also along with being able to decompile the application it makes even more holes for people to be able to attack or inject data directly through the given JSON strings.

We currently use Eclipse's handy Proguard feature to obfuscate as much of the program classes and data that we can, but we're still worried that it could be intercepted if a person was to try hard enough.

Any examples or techniques that could be used to make this more secure would be greatly appreciated.
LVL 2
PsychotextAsked:
Who is Participating?
 
btanExec ConsultantCommented:
indeed security through obscurity is not good enough though it deter against persistent attempt, obfuscator is not perfect as a whole. You can catch this article on the different technique and it seems like the more resistance one is the Bangcle appProtect service that only decrypt in memory and has anti-debugging capability

but most of the time using the packer or similar tools may also trigger false alert if the Android security software so better to test in the eventually target device with the apps.

also you may want to catch Shield4J  which is Java based and does the securing functions too. But we have to be wary to avoid having hardcoded password or secret in the codes. Minimally it can be shared out of band or through other means instead.
0
 
PsychotextAuthor Commented:
Through that article you posted (It was a very interesting read) I came across and followed DexGuard, which massively appeals to I require since it's from the same developer as Proguard and holds all the features I need. My concern with this is that unlike the other two you linked they do not have a 'trial' version to test out for certain features.

What I'm worried about is that I also currently used Bugsense/Splunk for error reporting and debug information sent from the tablet, I know that Proguard allows for this to have the mapping.txt uploaded to allow the functionality to remain, but I don't seem to be able to find any information on the DexGuard website stating whether or not they do it.
0
 
btanExec ConsultantCommented:
A decompiler can still decompile the obfuscated codes which is what Proguard is doing but DexGuard has more measures indeed. I believe both DexGuard and Proguard have the retrace.bat which works for each uniquely. I saw in forum that it suggested to use DexGuard's retrace tool instead e.g. java -jar /var/DexGuard/lib/retrace.jar -verbose mapping.txt trace.txt
It should still be viable since it is backward compatible to Proguard, but have not heard any thorough test out though. May be still worth exploring with the Dexguard support. http://www.saikoa.com/contact
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.