Understanding String Obfuscation
I love the way of understanding a topic with some background, history, etc. When I came across string obfuscation and searched it over the internet, the content was found on implementing it but there was no link where I could actually see the problem in action & testing the final solution.
Through this article, I would like to cover this topic in a way where we start with a problem, hands-on to reproduce it. Implement the solution and retest if it actually helped. Happy reading..!
Disclaimer : The obfuscation technique described here is only strong enough to fend off most hackers from finding your keys. With given time and resources this technique could be bypassed. There are multiple other ways to secure sensitive strings in the application. The objective of this article is to give an idea of String Obfuscation.
The Problem: Confidential strings stored in an application in plain text could be retrieved by a potential hacker. E.g.: API key of Weather information provider. Assume you are paying for this service per API call and someone retrieves this API key and uses in his app…scary isn’t it..?
A Solution in “Plain Text”: Assume you are Professor Moriarty where you have multiple million dollar accounts. Passwords of which is not possible to remember. Hence you maintain a diary where you write all your passwords in a smart way…!! Let’s say the password of one of your account is “BALL” (consider this the plain text), you choose another string or number of your choice lets say 1903 (consider this salt), Now you what you do is the following:
- Sum your salt. i.e 1+9+0+3 = 13
- Find ASCII Equivalent of all characters in your plain text. “B”=66, “A”=65, “L”=76.
- You add the sum of your salt to the individual characters i.e. “B”=66+13=79 for all characters. Such that your resulting string is “79788989”
- Now you write the above number in your diary and salt assuming you remember this algorithm. Now even if Sherlock Holmes gets your diary he will not be able to understand a thing…!!
- We will later import source code that operates on given plain text in a way that makes it difficult for others to guess the plain text. Feel free to design your own algorithm to do this.
Continue reading here.