How difficult is to decompile C++ file?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I am writing an Android app with AES encryption and I am going to save AES key as a string to a C++ file with extension .cpp
.
I am also going to create an iOS app which will use the same AES key. Is it possible to save the key in C++ file in iOS?
How difficult would it be to decompile the C++ file and read the key?
Here is the C++ file from Android:
#include <jni.h>
#include <string>
extern "C"
JNIEXPORT jstring JNICALL
Java_com_android_app_aesKeyFromJNI(JNIEnv *env, jobject /* this */)
std::string secret = "somesecretkey";
return env->NewStringUTF(secret.c_str());
c++ android ios
New contributor
add a comment |Â
up vote
3
down vote
favorite
I am writing an Android app with AES encryption and I am going to save AES key as a string to a C++ file with extension .cpp
.
I am also going to create an iOS app which will use the same AES key. Is it possible to save the key in C++ file in iOS?
How difficult would it be to decompile the C++ file and read the key?
Here is the C++ file from Android:
#include <jni.h>
#include <string>
extern "C"
JNIEXPORT jstring JNICALL
Java_com_android_app_aesKeyFromJNI(JNIEnv *env, jobject /* this */)
std::string secret = "somesecretkey";
return env->NewStringUTF(secret.c_str());
c++ android ios
New contributor
2
A plain ascii string is anything but secret.
â joxeankoret
2 hours ago
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I am writing an Android app with AES encryption and I am going to save AES key as a string to a C++ file with extension .cpp
.
I am also going to create an iOS app which will use the same AES key. Is it possible to save the key in C++ file in iOS?
How difficult would it be to decompile the C++ file and read the key?
Here is the C++ file from Android:
#include <jni.h>
#include <string>
extern "C"
JNIEXPORT jstring JNICALL
Java_com_android_app_aesKeyFromJNI(JNIEnv *env, jobject /* this */)
std::string secret = "somesecretkey";
return env->NewStringUTF(secret.c_str());
c++ android ios
New contributor
I am writing an Android app with AES encryption and I am going to save AES key as a string to a C++ file with extension .cpp
.
I am also going to create an iOS app which will use the same AES key. Is it possible to save the key in C++ file in iOS?
How difficult would it be to decompile the C++ file and read the key?
Here is the C++ file from Android:
#include <jni.h>
#include <string>
extern "C"
JNIEXPORT jstring JNICALL
Java_com_android_app_aesKeyFromJNI(JNIEnv *env, jobject /* this */)
std::string secret = "somesecretkey";
return env->NewStringUTF(secret.c_str());
c++ android ios
c++ android ios
New contributor
New contributor
edited 14 mins ago
0xC0000022Lâ¦
7,54142861
7,54142861
New contributor
asked 3 hours ago
Daniel Foo
161
161
New contributor
New contributor
2
A plain ascii string is anything but secret.
â joxeankoret
2 hours ago
add a comment |Â
2
A plain ascii string is anything but secret.
â joxeankoret
2 hours ago
2
2
A plain ascii string is anything but secret.
â joxeankoret
2 hours ago
A plain ascii string is anything but secret.
â joxeankoret
2 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
Not hard enough!
First of all, if you save the key as a non-encrypted string, a simple strings
command will find it and IDA x-ref will even show the reverser where it's used.
If you save the key encrypted, a simple breakpoint will let them see the decrypted password. (or understanding the decryption algorithm).
edited your answer ... I think you meantstrings
, notstring
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).
â 0xC0000022Lâ¦
15 mins ago
add a comment |Â
up vote
2
down vote
A plain text string like this will be visible by looking at the file in a hex editor (like hte
or a viewer like xxd
or od
) or with the Sysinternals strings
command or with strings(1)
on a Linux/FreeBSD etc, for example. Most reverse engineering tools have a separate view for strings, because those are usually exceptionally useful to reverse engineers. Amirag already pointed that out for IDA.
In terms of Android that C++ file is likely going to end up as a shared object in ELF file format. These are binary files with a known structure. Simply by looking at the exported functions/symbols, it will be trivial to find the "secret". Even if you were to obfuscate this further, it would still not help. Obfuscation is security through obscurity. It's not actual security. So even writing that string as some xor-ed array of bytes or using the Caesar cipher will add no tangible protection if that's the goal.
Furthermore you should never ever include the private key in code that ends up with the user. The reason why it's called a secret is because it should be kept secret. Just "mangling" the representation of this secret with a compiler isn't going to help at all.
If it's a secret the user shouldn't see it, this belongs on the server-side or into a HSM (hardware security module), but not on the user's machine in any form. There is no other way to reconcile mistrusting the user and at the same time placing "secrets" into the user's hands. It's the fundamental conundrum of software protection mechanisms also.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
Not hard enough!
First of all, if you save the key as a non-encrypted string, a simple strings
command will find it and IDA x-ref will even show the reverser where it's used.
If you save the key encrypted, a simple breakpoint will let them see the decrypted password. (or understanding the decryption algorithm).
edited your answer ... I think you meantstrings
, notstring
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).
â 0xC0000022Lâ¦
15 mins ago
add a comment |Â
up vote
3
down vote
Not hard enough!
First of all, if you save the key as a non-encrypted string, a simple strings
command will find it and IDA x-ref will even show the reverser where it's used.
If you save the key encrypted, a simple breakpoint will let them see the decrypted password. (or understanding the decryption algorithm).
edited your answer ... I think you meantstrings
, notstring
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).
â 0xC0000022Lâ¦
15 mins ago
add a comment |Â
up vote
3
down vote
up vote
3
down vote
Not hard enough!
First of all, if you save the key as a non-encrypted string, a simple strings
command will find it and IDA x-ref will even show the reverser where it's used.
If you save the key encrypted, a simple breakpoint will let them see the decrypted password. (or understanding the decryption algorithm).
Not hard enough!
First of all, if you save the key as a non-encrypted string, a simple strings
command will find it and IDA x-ref will even show the reverser where it's used.
If you save the key encrypted, a simple breakpoint will let them see the decrypted password. (or understanding the decryption algorithm).
edited 16 mins ago
0xC0000022Lâ¦
7,54142861
7,54142861
answered 2 hours ago
Amirag
4266
4266
edited your answer ... I think you meantstrings
, notstring
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).
â 0xC0000022Lâ¦
15 mins ago
add a comment |Â
edited your answer ... I think you meantstrings
, notstring
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).
â 0xC0000022Lâ¦
15 mins ago
edited your answer ... I think you meant
strings
, not string
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).â 0xC0000022Lâ¦
15 mins ago
edited your answer ... I think you meant
strings
, not string
. If I'm wrong, kindly roll back my change (and if that doesn't work because I'm mod, let me know in a comment here, thanks).â 0xC0000022Lâ¦
15 mins ago
add a comment |Â
up vote
2
down vote
A plain text string like this will be visible by looking at the file in a hex editor (like hte
or a viewer like xxd
or od
) or with the Sysinternals strings
command or with strings(1)
on a Linux/FreeBSD etc, for example. Most reverse engineering tools have a separate view for strings, because those are usually exceptionally useful to reverse engineers. Amirag already pointed that out for IDA.
In terms of Android that C++ file is likely going to end up as a shared object in ELF file format. These are binary files with a known structure. Simply by looking at the exported functions/symbols, it will be trivial to find the "secret". Even if you were to obfuscate this further, it would still not help. Obfuscation is security through obscurity. It's not actual security. So even writing that string as some xor-ed array of bytes or using the Caesar cipher will add no tangible protection if that's the goal.
Furthermore you should never ever include the private key in code that ends up with the user. The reason why it's called a secret is because it should be kept secret. Just "mangling" the representation of this secret with a compiler isn't going to help at all.
If it's a secret the user shouldn't see it, this belongs on the server-side or into a HSM (hardware security module), but not on the user's machine in any form. There is no other way to reconcile mistrusting the user and at the same time placing "secrets" into the user's hands. It's the fundamental conundrum of software protection mechanisms also.
add a comment |Â
up vote
2
down vote
A plain text string like this will be visible by looking at the file in a hex editor (like hte
or a viewer like xxd
or od
) or with the Sysinternals strings
command or with strings(1)
on a Linux/FreeBSD etc, for example. Most reverse engineering tools have a separate view for strings, because those are usually exceptionally useful to reverse engineers. Amirag already pointed that out for IDA.
In terms of Android that C++ file is likely going to end up as a shared object in ELF file format. These are binary files with a known structure. Simply by looking at the exported functions/symbols, it will be trivial to find the "secret". Even if you were to obfuscate this further, it would still not help. Obfuscation is security through obscurity. It's not actual security. So even writing that string as some xor-ed array of bytes or using the Caesar cipher will add no tangible protection if that's the goal.
Furthermore you should never ever include the private key in code that ends up with the user. The reason why it's called a secret is because it should be kept secret. Just "mangling" the representation of this secret with a compiler isn't going to help at all.
If it's a secret the user shouldn't see it, this belongs on the server-side or into a HSM (hardware security module), but not on the user's machine in any form. There is no other way to reconcile mistrusting the user and at the same time placing "secrets" into the user's hands. It's the fundamental conundrum of software protection mechanisms also.
add a comment |Â
up vote
2
down vote
up vote
2
down vote
A plain text string like this will be visible by looking at the file in a hex editor (like hte
or a viewer like xxd
or od
) or with the Sysinternals strings
command or with strings(1)
on a Linux/FreeBSD etc, for example. Most reverse engineering tools have a separate view for strings, because those are usually exceptionally useful to reverse engineers. Amirag already pointed that out for IDA.
In terms of Android that C++ file is likely going to end up as a shared object in ELF file format. These are binary files with a known structure. Simply by looking at the exported functions/symbols, it will be trivial to find the "secret". Even if you were to obfuscate this further, it would still not help. Obfuscation is security through obscurity. It's not actual security. So even writing that string as some xor-ed array of bytes or using the Caesar cipher will add no tangible protection if that's the goal.
Furthermore you should never ever include the private key in code that ends up with the user. The reason why it's called a secret is because it should be kept secret. Just "mangling" the representation of this secret with a compiler isn't going to help at all.
If it's a secret the user shouldn't see it, this belongs on the server-side or into a HSM (hardware security module), but not on the user's machine in any form. There is no other way to reconcile mistrusting the user and at the same time placing "secrets" into the user's hands. It's the fundamental conundrum of software protection mechanisms also.
A plain text string like this will be visible by looking at the file in a hex editor (like hte
or a viewer like xxd
or od
) or with the Sysinternals strings
command or with strings(1)
on a Linux/FreeBSD etc, for example. Most reverse engineering tools have a separate view for strings, because those are usually exceptionally useful to reverse engineers. Amirag already pointed that out for IDA.
In terms of Android that C++ file is likely going to end up as a shared object in ELF file format. These are binary files with a known structure. Simply by looking at the exported functions/symbols, it will be trivial to find the "secret". Even if you were to obfuscate this further, it would still not help. Obfuscation is security through obscurity. It's not actual security. So even writing that string as some xor-ed array of bytes or using the Caesar cipher will add no tangible protection if that's the goal.
Furthermore you should never ever include the private key in code that ends up with the user. The reason why it's called a secret is because it should be kept secret. Just "mangling" the representation of this secret with a compiler isn't going to help at all.
If it's a secret the user shouldn't see it, this belongs on the server-side or into a HSM (hardware security module), but not on the user's machine in any form. There is no other way to reconcile mistrusting the user and at the same time placing "secrets" into the user's hands. It's the fundamental conundrum of software protection mechanisms also.
answered 17 mins ago
0xC0000022Lâ¦
7,54142861
7,54142861
add a comment |Â
add a comment |Â
Daniel Foo is a new contributor. Be nice, and check out our Code of Conduct.
Daniel Foo is a new contributor. Be nice, and check out our Code of Conduct.
Daniel Foo is a new contributor. Be nice, and check out our Code of Conduct.
Daniel Foo is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19840%2fhow-difficult-is-to-decompile-c-file%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
A plain ascii string is anything but secret.
â joxeankoret
2 hours ago