Hide Sqlite Query, API, API Endpoint, API Keys and Other Hardcode String in Android Studio
In the Android app when an attacker can do reverse engineering, they see “what’s logic write on the backend” So, developer use proguard to secure their backend code but proguard only shrinks and obfuscates java code. proguard are not shrink and obfuscates any type of string.
API Keys and other keys are sensitive but
Why we need to secure API and API endpoint?
Developer use SSL pinning and root detection to prevent traffic intercept but Attacker can extract API from the android app and Attacker start API Testing instead of Android Testing using POSTMAN attacker doesn’t need any GUI they beloved in the command-line.
Reverse Engineering NDK & Without NDK
Reverse Engineering Without NDK
Reverse Engineering With NDK
How to Hide Strings?
- Download NDK and Cmake from SDK Manager
NDK: Native Development Kit is a set of tools that allows you to use C and C++ code with Android, and provides platform libraries
CMake: CMake is used for compiling C and C++ code for your application.
/* Download CMake & NDK from SDK Manager */
2) Change stracture “Android” to “Project”
3) Enter in “main” directory
project_name/app/src/main
4) Right Click on “main” folder and create new directory “jni”
5) Right click on “jni” folder and create a new file “Android.mk”
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := keys
LOCAL_SRC_FILES := keys.c
include $(BUILD_SHARED_LIBRARY)
6) Right click on “jni” folder and create a new file “Application.mk”
APP_ABI := all
7) Right Click on “jni” and Create a new file “keys.c”
8) Now open build.gradle
9) Add this line and click “sync Now”
ndkVersion '25.1.8937393' //your NDK version
externalNativeBuild {
ndkBuild {
path 'src/main/jni/Android.mk' //path of Android.mk file
}
}You can find your NDK version here
C:\Users\%your_pc_username%\AppData\Local\Android\Sdk\ndk
10) Now go to your API file
11) Write upper side this code
static {
System.loadLibrary("keys");
}
12) Now write this code
public static native String Get_ROOT_API();Get_ROOT_API() is random function name “choose your own name”
13) Now right click on text “Get_ROOT_API()” and click “show context Action”
14) Now Click on “Create JNI Function For GET_ROOT_API()”\
15) You will redirect on keys.c file
(If you will not redirect keys.c file then open its manually)
16) Add this line
return (*env)-> NewStringUTF(env, "Your Root API Here!");
17) Now replace “Your Root API Here!” with “Your API Base URL”
18) Repeat with endpoint
Source:
https://developer.android.com/ndk/guides
https://developer.android.com/ndk/guides/cmake
