Getting error while adding plugin

[noob-programmer1]

I want to use this plugin in my production app but I am getting error while adding the plugin "Minimum supported gradle version is 6.5". In the README file its written that "This gradle plugin can be used with any Android project in Java or Kotlin."

[ben-j69]

Hello @ABHI165 ,

what gradle version are you using ? Which version of the plugin did you try ?

You can try the v0.1.1 that use an older gradle version.

[noob-programmer1]

I am new to the reverse engineering native code I have one more doubt. In order to get the key we have to use Secret () class and call a particular method . And after getting the key i am passing it to another function. So my question is :- is it possible for the hacker to reverse engineer the app and after getting the key from the class instead of passing it to another function, he just logs it. by doing some code changes. So in this way he don't need to reverse engineer the c++ file to get the key or the decryption logic

thanks in advance

[ben-j69]

Hello @ABHI165, if the hacker can run your java/kotlin code with your decrypted key inside he will be able to print it. It is why it is important to not include your key in your project as a String, obfuscate your code and use this project to retrieve your key at runtime. It is much more secure this way but as said in the readme :

⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in a mobile package is not a smart idea. But when you absolutely need to, this is the best method we have found to hide it.

Is your first issue solved ? If yes I will close the Issue.

Tanks

[noob-programmer1]

@ben-j69 I think I am not able to explain my question. Let me explain it one more time. Suppose i stored my key using this project in ndk. To retrieve key i use this function as mentioned in the readme file val key = Secrets().getYourSecretKeyName(packageName)

after getting the key i am passing it to another fun for further work. So my que is it is possible that the hacker decompiled my code and after that line he added one his own code that basically print that key? in this way he dont need to extract the ndk and check logic etc. he will directly log it after getting it.

[noob-programmer1]

@ben-j69 i have some questions that's why i haven't tried in the prod app. will let you know once i will use it .

[ben-j69]

@ABHI165 as explained the hacker should not have access to your clear code and rune it. It needs to be obfuscated with proguard (or another solution) to make the reverse engineering super difficult.

[noob-programmer1]

@ben-j69 I am still geting the same error while adding this plugin (v0.1.1) :- Minimum supported Gradle version is 6.1.1. Current version is 5.6.4.

Please fix the project's Gradle settings. Fix Gradle wrapper and re-import project Open Gradle wrapper properties Gradle Settings.

Edit - I tried adding v 0.1.0 but still getting the same error

[noob-programmer1]

@ben-j69 after updating gtadle to 6.1.1 required by v0.1.1 Now I am getting this error

AAPT: unknown option '--proguard-minimal-keep-rules'.

aapt2 link [options] -o arg --manifest arg files...

Options: -o arg Output path. --manifest arg Path to the Android manifest to build. -I arg Adds an Android APK to link against. -A arg An assets directory to include in the APK. These are unprocessed. -R arg Compilation unit to link, using overlay semantics. The last conflicting resource given takes precedence. --package-id arg Specify the package ID to use for this app. Must be greater or equal to 0x7f and can't be used with --static-lib or --shared-lib. --java arg Directory in which to generate R.java. --proguard arg Output file for generated Proguard rules. --proguard-main-dex arg Output file for generated Proguard rules for the main dex. --proguard-conditional-keep-rules Generate conditional Proguard keep rules. --no-auto-version Disables automatic style and layout SDK versioning. --no-version-vectors Disables automatic versioning of vector drawables. Use this only when building with vector drawable support library. --no-version-transitions Disables automatic versioning of transition resources. Use this only when building with transition support library. --no-resource-deduping Disables automatic deduping of resources with identical values across compatible configurations. --enable-sparse-encoding This decreases APK size at the cost of resource retrieval performance. -x Legacy flag that specifies to use the package identifier 0x01. -z Require localization of strings marked 'suggested'. -c arg Comma separated list of configurations to include. The default is all configurations. --preferred-density arg Selects the closest matching density and strips out all others. --product arg Comma separated list of product names to keep --output-to-dir Outputs the APK contents to a directory specified by -o. --no-xml-namespaces Removes XML namespace prefix and URI information from AndroidManifest.xml and XML binaries in res/*. --min-sdk-version arg Default minimum SDK version to use for AndroidManifest.xml. --target-sdk-version arg Default target SDK version to use for AndroidManifest.xml. --version-code arg Version code (integer) to inject into the AndroidManifest.xml if none is present. --version-code-major arg Version code major (integer) to inject into the AndroidManifest.xml if none is present. --version-name arg Version name to inject into the AndroidManifest.xml if none is present. --replace-version If --version-code and/or --version-name are specified, these values will replace any value already in the manifest. By default, nothing is changed if the manifest already defines these attributes. --compile-sdk-version-code arg Version code (integer) to inject into the AndroidManifest.xml if none is present. --compile-sdk-version-name arg Version name to inject into the AndroidManifest.xml if none is present. --shared-lib Generates a shared Android runtime library. --static-lib Generate a static Android library. --proto-format Generates compiled resources in Protobuf format. Suitable as input to the bundle tool for generating an App Bundle. --no-static-lib-packages Merge all library resources under the app's package. --non-final-ids Generates R.java without the final modifier. This is implied when --static-lib is specified. --stable-ids arg File containing a list of name to ID mapping. --emit-ids arg Emit a file at the given path with a list of name to ID mappings, suitable for use with --stable-ids. --private-symbols arg Package name to use when generating R.java for private symbols. If not specified, public and private symbols will use the application's package name. --custom-package arg Custom Java package under which to generate R.java. --extra-packages arg Generate the same R.java but with different package names. --add-javadoc-annotation arg Adds a JavaDoc annotation to all generated Java classes. --output-text-symbols arg Generates a text file containing the resource symbols of the R class in the specified folder. --allow-reserved-package-id Allows the use of a reserved package ID. This should on be used for packages with a pre-O min-sdk

--auto-add-overlay Allows the addition of new resources in overlays without

tags. --rename-manifest-package arg Renames the package in AndroidManifest.xml. --rename-instrumentation-target-package arg Changes the name of the target package for instrumentation. Most useful when used in conjunction with --rename-manifest-package. -0 arg File extensions not to compress. --no-compress Do not compress any resources. --warn-manifest-validation Treat manifest validation errors as warnings. --split arg Split resources matching a set of configs out to a Split APK. Syntax: path/to/output.apk:[,[...]]. On Windows, use a semicolon ';' separator instead. -v Enables verbose logging. --debug-mode Inserts android:debuggable="true" in to the application node of the manifest, making the application debuggable even on production devices. --strict-visibility Do not allow overlays with different visibility levels. -h Displays this help menu

[ben-j69]

Hello @ABHI165 what solution did you try ? Clean project ? Invalidate the cache ? etc ?

This is related to your project please check on Google what can solve this issue.

[noob-programmer1]

@ben-j69 I have made a new fresh project and I am trying to add this but I am getting this error can you please help? (I have tried directly adding the plugin but it didnt worked) Also if there is any demo project where i Can see the implemetation then please share the link

My app level gradle file

buildscript {
    repositories {
        maven {
            url "https://plugins.gradle.org/m2/"
        }
    }
    dependencies {
        classpath "com.klaxit.hiddensecrets:HiddenSecretsPlugin:0.1.2"
    }
}

plugins {
    id 'com.android.application'
    id 'kotlin-android'

}
apply plugin: 'com.klaxit.hiddensecrets'

android {
    externalNativeBuild {
        cmake {
            path "src/main/cpp/CMakeLists.txt"
        }
    }

    compileSdkVersion 30
    buildToolsVersion "30.0.3"

    defaultConfig {
        applicationId "com.example.myapplication"
        minSdkVersion 22
        targetSdkVersion 30
        versionCode 1
        versionName "1.0"

        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
    }

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
        }
    }
    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }
    kotlinOptions {
        jvmTarget = '1.8'
    }
    ndkVersion '21.1.6352462'
}

dependencies {

    implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
    implementation 'androidx.core:core-ktx:1.5.0'
    implementation 'androidx.appcompat:appcompat:1.3.0'
    implementation 'com.google.android.material:material:1.3.0'
    implementation 'androidx.annotation:annotation:1.1.0'
    implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
    implementation 'androidx.lifecycle:lifecycle-livedata-ktx:2.3.1'
    implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.3.1'
    testImplementation 'junit:junit:4.+'
    androidTestImplementation 'androidx.test.ext:junit:1.1.2'
    androidTestImplementation 'androidx.test.espresso:espresso-core:3.3.0'
}

Error -

Could not find com.android.tools.build:gradle:4.1.3.

Searched in the following locations:
  - https://plugins.gradle.org/m2/com/android/tools/build/gradle/4.1.3/gradle-4.1.3.pom
If the artifact you are trying to retrieve can be found in the repository but without metadata in 'Maven POM' format, you need to adjust the 'metadataSources { ... }' of the repository declaration.
Required by:
    project :app > com.klaxit.hiddensecrets:HiddenSecretsPlugin:0.1.2
Add google Maven repository and sync project
Open File

[ben-j69]

@ABHI165 like written in your error message : Add google Maven repository and sync project To be sure to find it I advise you to setup your repos like this:

google()
mavenCentral()
jcenter()

[ben-j69]

@ABHI165 I might have found the reason of your issue dans I am currently updating the documentation.

In your gradle file, add google() in your buildscript:

buildscript {
    repositories {
        google()
        maven {
            url "https://plugins.gradle.org/m2/"
        }
    }
    dependencies {
        classpath "com.klaxit.hiddensecrets:HiddenSecretsPlugin:0.1.2"
    }
}