secure native methods and api-key in android using ndk

Issue

i am using ndk and android studio to secure my api-key and it works now. also i am trying dirty code to harden disassembling… . but i can still decompile and see native methods in java classes. also pre-built .so(shared object) files are available in apk and wil be used again!

Questions:

  1. After releasing the apk, all hackers can see .so file and they can use custom settings in .mk file and program specific native methods like my class for extracting the api-key only. they call my functions related to api-key without knowing the implementation. am i eliminating something here?

    1. is proguard necessary for this way ?

Solution

That’s right, there is no way to prevent .so reuse by malicious agent. Therefore, your native API should never reveal secret information to the Java side. You can perform some validation in your native methods to check if the calling Java actually belongs to the legitimate APK.

On the other hand, don’t underestimate another vulnerability of native code: your .so can be disassembled with relevant tools, and any protection may be torn off. There exist means of obfuscation and resilience to reverse engineering for native code, but the earning curve for them is much steeper than with ProGuard.

Still, it’s worthwhile to at least not keep the api-key in plain text in your C++ code. Try yourself to run

strings libnative.so

(here libnative.so is the .so file extracted from your APK) and you may discover important information that is waiting to be stolen from your library, no sophisticated reverse engineering necessary.

As far as ProGuard is concerned, it does not add protection to the native methods you use. You cannot even obfuscate the class name and method name for a native method. (Well, it is possible, but very tricky, and there are no tools that can help with such setup).

Answered By – Alex Cohn

Leave a Comment