Hard-coding Sensitive Information within Android apk a security risk- #2 DIVA Solution

Many a times developers make mistake of adding sensitive information in Android apps like Encryption keys, passwords, PIN, tokens, development internal information, etc. Sometimes unknowingly or sometimes knowingly to ease up development they store sensitive information within the app.

Reverse Engineering is a process of obtaining source code back from compiled binaries like apk (Check out article Reverse Engineering .apk file using APKTool-D2J-JDGui & alternate tool Jadx). So having a apk downloaded from Play store anybody can Reverse the apk to get back source code. Reverse Engineering can be done over both native and hybrid apps. Obfuscation is a technique where output apk (or any output file) is made with jumbled characters, so that on Reverse Engineering the apk nobody can easily understand what was the source code. Indeed Obfuscation plays a vital role in make complicated mapping within apk (or any binary) with source code, but as a matter of fact it can only increase the time required to understand underlying logic but cannot stop entirely Reverse Engineering the apps.

There are options where its possible to convert apk into Smali (assembly level) code which helps understanding better (Check out this article on converting .apk into Smali). Moreover in many obfuscation techniques code might be jumbled but the values within variable identifiers would still remain unaltered, in fact this is the place where sensitive information is saved.


The video demonstrates DIVA app, that app login information is visible in clear-text from the app source code. Reverse Engineering the apk would provide this values easily.



  • Best solution is not to save anything within the apk – either via generating it on run time via user input or bringing details making a secure HTTPS call over the internet.
  • When it comes to maintaining confidential of a proprietary algorithm or logic, a strong code obfuscation technique might help in increasing complexity while reversing. However no 100% reliable solutions are available till date.


Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.