Encrypt Strings
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android, iOS | MASVS-RESILIENCE-3 |
Overview
Encrypt Strings protects sensitive string literals embedded in your application's compiled code. This control encrypts API keys, URLs, configuration values, error messages, and other hardcoded strings at build time, preventing attackers from extracting them through static analysis tools.
How It Works
At build time, MobileDefender identifies string literals in the compiled application binary and protects them with per-build string encryption. The protected strings remain unreadable through simple static inspection of the binary stored on disk or distributed through app stores.
When the application launches, a small decryption routine automatically restores the strings to their original values in memory. This ensures normal application functionality while preventing static analysis of the binary from revealing sensitive information.
The encryption process intelligently preserves system-critical strings (such as Android framework identifiers, iOS selector names, and platform APIs) that must remain unmodified for the application to function correctly.
Threats Mitigated
Static String Extraction
Attackers commonly use tools like strings, IDA Pro, Hopper Disassembler, or Ghidra to extract all readable text from application binaries. Encrypt Strings makes this technique ineffective by storing only encrypted ciphertext in the binary.
API Key Discovery
Hardcoded API keys, authentication tokens, backend URLs, and third-party service credentials are common targets for reverse engineering. By encrypting these strings, you prevent attackers from discovering them through simple binary inspection.
Configuration and Error Message Leakage
Diagnostic messages, internal configuration values, and debug strings can reveal information about your application's architecture and business logic. Encryption keeps this information hidden from static analysis.
How to Enable the Control
Navigate to Code Obfuscation from the AppTego portal, and expand the Code And String Protection section. Under this section you will find the Encrypt Strings control. Click Enable to apply it to the next protected build.
API Configuration Example
{
"EncryptStrings": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables encrypt strings for protected builds. |
Caveats
Runtime Performance
String decryption adds a small overhead at application startup (iOS) or when strings are first accessed (Android). For most applications this overhead is negligible, but apps with extremely large numbers of strings may experience slightly increased launch time.
Binary Size
The encryption process adds a small decryption routine to your application binary (typically a few kilobytes). The strings themselves occupy the same amount of space as before.
Compatibility
Certain debugging and crash reporting tools that perform static analysis of binaries may show encrypted strings as gibberish rather than readable text. This does not affect runtime debugging or crash logs, as strings are decrypted in memory during normal execution.
Support Matrix
| Platform | Supported Versions | Notes |
|---|---|---|
| Android | All versions | Encrypts string constants in DEX bytecode |
| iOS | All versions | Encrypts strings in Mach-O binaries |
Plan Requirement
ENTERPRISE
This control is available exclusively to Enterprise tier customers.