{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 The star\" 的问题《Safe to hard code a password in mobile app》','https://www.manongdao.com/q-672560.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a web server that creates a QR code which is [username] + a md5 hash of [username][password]. Where [username] is the user logged in at the time. Where [password] is a system password set by me and common to web server and the apps.
My Android/iPhone/BlackBerry/Windows app will scan this QR code and use the [username] provided in the QR code to hash with [password] which will tell me that the QR code came from my server.
Obviously if someone were to get hold of [password] then they could create QR codes that did not come from my web server. So is there anyway to safely store [password] in my app or could someone decompile the .apk and find it in classes.dex?
No.
If someone is sufficiently motivated, they will be able to reverse engineer a hard-coded password.
You can obfuscate the password somehow, but ultimately this is only security through obscurity. Someone who wanted to could certainly reverse engineer it.
You probably want to look at public key cryptography to avoid this - even if someone gets access to the public key, they still won't be able to use it to impersonate your server.
Im not sure about the other platforms, but if you put your password hardcoded in plaintext on android they would get it really easily. Other platforms might require more advanced methods. You can hash the password with some more advanced hashing algorithm so that they don't get the original password, but from what you said you don't want them making "fake" QR codes.
The short answer is no, because everything can be cracked somehow if it is on client side.