Hiding Sensitive Strings in Obfuscated Code

Obfuscating code to protect proprietary information is a common practice, but discerning eyes can still uncover hidden strings. To effectively conceal sensitive data, consider the following techniques:

Encoding vs. Encryption

If the objective is to deter casual inspection, encoding can suffice. The android.util.Base64 class offers a convenient method. However, encoding provides negligible security.

For stronger protection against attackers, symmetric encryption with a cipher like AES is recommended. The javax.crypto.Cipher class provides an example of its usage.

Manual Encryption and Decryption

Implement encryption and decryption manually following these steps:

1. Encrypt the string with a known key.
2. Update the code to use the decrypted version of the string (e.g., use MyDecryptUtil.decrypt(encrypted, key) instead of mySecret = "http://example.com").

Third-Party DRM Solutions

Consider using third-party DRM solutions like Google's licensing server. They offer potential security benefits over self-rolled solutions, but still have limitations similar to manual encryption and decryption.

R Class Strings

The R class strings you mentioned in your code are references to resources. Obfuscators like ProGuard do not obfuscate the R class itself but rather the references to the resource IDs. They maintain the same number but change the mapping that points to the actual resource.

In this case, 2130903058 references a layout file. Without the decompiled R class, you cannot directly retrieve the resource it represents, but it is still an address to the binary data of the resource.