Android Encrypt JSON String and Credentials

Hey, I'm currently looking into potential solutions for obfuscating or encrypting any JSON data and Credentials that would be required to go with the JSON connection string.

For example I have
String strExtraInfo = "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&key=" + VT_DatabaseHelper.strJSONKey;
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);
strExtraInfo += "&dtExampleData=" + getInt(myContext);

JSONObject jsonUpdates;

jsonUpdates = VT_JSON.getJSONfromURL("http://*****.co.uk/json/json_data.ashx?" + strTable + "data=1" + strExtraInfo);

Open in new window


When then has the credentials added and then sent,  HTTPS is one solution, but our main concern is that the device could be hooked up to an external debugging program and the data extracted that way, also along with being able to decompile the application it makes even more holes for people to be able to attack or inject data directly through the given JSON strings.

We currently use Eclipse's handy Proguard feature to obfuscate as much of the program classes and data that we can, but we're still worried that it could be intercepted if a person was to try hard enough.

Any examples or techniques that could be used to make this more secure would be greatly appreciated.
LVL 2
PsychotextAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
indeed security through obscurity is not good enough though it deter against persistent attempt, obfuscator is not perfect as a whole. You can catch this article on the different technique and it seems like the more resistance one is the Bangcle appProtect service that only decrypt in memory and has anti-debugging capability

but most of the time using the packer or similar tools may also trigger false alert if the Android security software so better to test in the eventually target device with the apps.

also you may want to catch Shield4J  which is Java based and does the securing functions too. But we have to be wary to avoid having hardcoded password or secret in the codes. Minimally it can be shared out of band or through other means instead.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PsychotextAuthor Commented:
Through that article you posted (It was a very interesting read) I came across and followed DexGuard, which massively appeals to I require since it's from the same developer as Proguard and holds all the features I need. My concern with this is that unlike the other two you linked they do not have a 'trial' version to test out for certain features.

What I'm worried about is that I also currently used Bugsense/Splunk for error reporting and debug information sent from the tablet, I know that Proguard allows for this to have the mapping.txt uploaded to allow the functionality to remain, but I don't seem to be able to find any information on the DexGuard website stating whether or not they do it.
0
btanExec ConsultantCommented:
A decompiler can still decompile the obfuscated codes which is what Proguard is doing but DexGuard has more measures indeed. I believe both DexGuard and Proguard have the retrace.bat which works for each uniquely. I saw in forum that it suggested to use DexGuard's retrace tool instead e.g. java -jar /var/DexGuard/lib/retrace.jar -verbose mapping.txt trace.txt
It should still be viable since it is backward compatible to Proguard, but have not heard any thorough test out though. May be still worth exploring with the Dexguard support. http://www.saikoa.com/contact
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.