We can use "jni module" to keep 'Sensitive Hardcoded Strings' in the app. when we try to reverse engineer APK file we get lib folder and .so files in respective process-folders. which can not decrypt.

我们可以使用“jni 模块”在应用程序中保留“敏感硬编码字符串”。当我们尝试对 APK 文件进行逆向工程时，我们会在各自的进程文件夹中获得 lib 文件夹和 .so 文件。无法解密。

You can save your string obfuscated by AES.

您可以保存由 AES 混淆的字符串。

In Licensing Verification Library you can find AESObfuscator. In LVL it is used to obfuscate cached license info that is read instead of asking Android Market to find out application is licensed or not. LVL can be downloaded as component of SDK.

在许可验证库中，您可以找到AESObfuscator. 在 LVL 中，它用于混淆读取的缓存许可信息，而不是要求 Android Market 找出应用程序是否获得许可。LVL 可以作为 SDK 的组件下载。

I guess you can try a code obfuscator, but really that won't make your password 100% secure and I don't know how well it goes along with the android compiler. Why not use a secured web authentication , like that of Google?

我想您可以尝试使用代码混淆器，但实际上这不会使您的密码 100% 安全，而且我不知道它与 android 编译器的配合情况如何。为什么不使用安全的 Web 身份验证，例如 Google 的身份验证？

1. Hashing is not possible since it is not two way.
2. Any encryption such as AES, DES, blowfish, etch is not a viable solution as you have to include the decryption part within your app and that can be decompiled with a combination of apktool, dex2jar and JD (java decompiler) which is a very powerful combo while decompiling any apk.
3. Even code obfuscators don't do anything except make life a little more difficult for the decompiling guy, who'll eventually get it anyways.

1. 散列是不可能的，因为它不是两种方式。
2. 任何加密，例如 AES、DES、blowfish、etch 都不是可行的解决方案，因为您必须在应用程序中包含解密部分，并且可以使用 apktool、dex2jar 和 JD（Java 反编译器）的组合进行反编译，这是一个非常强大的组合同时反编译任何apk。
3. 甚至代码混淆器也不会做任何事情，只是让反编译人员的生活变得更加困难，无论如何他们最终都会得到它。

The only way which I think would work to an extent would be to host the credentials on a server which only your application can access via a web-service call through a separate authentication of some kind - similar to FB's hash key thing. If it works for them, it should work for us.

我认为在某种程度上可行的唯一方法是将凭据托管在服务器上，只有您的应用程序可以通过某种单独的身份验证通过 Web 服务调用访问该服务器 - 类似于 FB 的散列密钥。如果它对他们有用，它应该对我们有用。

I was looking into a similar problem and came across this useful thread: http://www.dreamincode.net/forums/topic/208159-protect-plain-string-from-decompilers/

我正在研究类似的问题并遇到了这个有用的线程：http: //www.dreamincode.net/forums/topic/208159-protect-plain-string-from-decompilers/

I'm not too familiar with Android development, but the same ideas should apply.

我对 Android 开发不太熟悉，但同样的想法应该适用。

If you do not have the means to do a web authorization you will need to include the third party decryption with you application.

如果您没有办法进行网络授权，您将需要在您的应用程序中包含第三方解密。

This is what you could try 1) Write a standalone program only to create a password hash one time. (This program should not be a part of your app). Make a note of the hash that was generated. http://www.mindrot.org/projects/jBCrypt/

这是您可以尝试的方法 1) 编写一个独立的程序，只为一次创建密码哈希。（此程序不应成为您的应用程序的一部分）。记下生成的散列。 http://www.mindrot.org/projects/jBCrypt/

 // Hash a password for the first time.
    String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));

2) Store this password hash as a String constant in you APK.

2) 将此密码哈希作为字符串常量存储在您的 APK 中。

3) Then every time you need to check the password, compare with the hashed password, using bcrypt.

3）然后每次需要检查密码时，与哈希密码进行比较，使用bcrypt。

// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
    System.out.println("It matches");
else
    System.out.println("It does not match");

jBCrypt is a single java file and it can be directly included in your application. It is considered one of the strongest encryption algorithms for passwords. Even through the decryption algorithm is present in you APK, trying to break this is very time consuming details of which can be read in the article below.

jBCrypt 是一个单独的 java 文件，它可以直接包含在您的应用程序中。它被认为是最强大的密码加密算法之一。即使通过解密算法存在于你的 APK 中，试图破解它也是非常耗时的细节，可以在下面的文章中阅读。

Read this article for details and security of bcrypt.
http://codahale.com/how-to-safely-store-a-password/

阅读本文以了解 bcrypt 的详细信息和安全性。
http://codahale.com/how-to-safely-store-a-password/

Again, use this only if you do not have the means to do web based authentication.

同样，仅当您没有办法进行基于 Web 的身份验证时才使用它。

Use some kind of trivial encryption or cipher that only you (and your code) understand. Reverse the string, store it as array of integers where you need to take the mod of 217 or something silly to find the real password.

使用某种只有您（和您的代码）才能理解的普通加密或密码。反转字符串，将其存储为整数数组，您需要在其中取模 217 或一些愚蠢的东西才能找到真正的密码。

One way you can 100% secure you hard-coded string. Firstly don't use pro-guard use allatori Link: http://www.allatori.com/

一种可以 100% 保护硬编码字符串的方法。首先不要使用亲卫使用 allatori 链接：http: //www.allatori.com/

And secondly don't take you hard coded string in any variable just use that string like this:

其次，不要在任何变量中使用硬编码字符串，只需像这样使用该字符串：

if(var=="abc"){}

"abc"is exampled hard coded string.

"abc"是示例硬编码字符串。

Allatori fully obfuscate all string that are used in code like above.

Allatori 完全混淆了上面代码中使用的所有字符串。

Hope it will help for you.

希望对你有帮助。

doing these would be useful:

这样做会很有用：

1- you can encrypt them and obfuscate the encrypting algorithm. any encryption along with obfuscation (progaurd in Adnroid) is useful.

1-您可以加密它们并混淆加密算法。任何加密和混淆（Adnroid 中的 progaurd）都是有用的。

2- you better to hardcode your strings as byte array in your code. many reverse engineering applications can get a list of your hardcoded strings and guess what they are. but when they are in form of byte array they are not readable. but again Proguard is necessary. (it only hides from RAM string constant searching and they are still searchable from .class file)

2-您最好在代码中将字符串硬编码为字节数组。许多逆向工程应用程序可以获得您的硬编码字符串列表并猜测它们是什么。但是当它们是字节数组的形式时，它们是不可读的。但再次 Proguard 是必要的。（它只从 RAM 字符串常量搜索中隐藏，它们仍然可以从 .class 文件中搜索）

3- using C++ code to host your constant is not a bad idea if you encrypt them before hardcoding and decrypt them using C++ code.

3- 如果您在硬编码之前加密它们并使用 C++ 代码解密它们，则使用 C++ 代码来托管您的常量并不是一个坏主意。

there is also a great article here :

这里还有一篇很棒的文章：

https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/

https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/