String Encryption

String encryption hides the text literals in your application, so an attacker cannot read them straight out of the compiled code.

  • .NET.NET
  • JavaScriptJavaScript
  • AndroidAndroid
  • AppleiOS
Start free
See it in ByteHide Shield
TL;DR

String encryption encrypts the string literals in your code and decrypts them at runtime only when they are needed. In the compiled application, the readable text is gone. An attacker scanning the binary finds encrypted data instead of API endpoints, messages, and keys.

Definition

What is string encryption?

String encryption is a technique that protects the text literals embedded in an application. By default, strings sit in compiled code as readable text, and they are often the fastest way for an attacker to understand what software does.

API endpoints, error messages, configuration keys, and feature flags are all strings. Searching a binary for readable text is usually the first thing an attacker does, and it usually works.

String encryption removes that shortcut. Each literal is stored encrypted and decrypted only at the moment it is used. The application behaves identically, but the binary no longer reveals its strings to a simple scan.

Mechanism

How string encryption works

String encryption transforms how literals are stored and accessed:

  • Encryption at build time. Every string literal is encrypted when the application is built.

  • Runtime decryption. A string is decrypted only when the code actually needs it, then discarded.

  • Key protection. The decryption logic and keys are themselves obfuscated, so they cannot be trivially extracted.

The readable text never exists in the static binary, only the encrypted form does.

Example

String encryption example

The same module, before and after string encryption. The fetch call works the same. The strings an attacker can read do not.

Original

An attacker runs a strings scan over your binary and immediately sees API URLs, messages, and configuration values in plain text.

Encrypted

The same scan returns encrypted data. The literals are decrypted only in memory, only when used.

Original
const API_URL = 'https://api.bytehide.com/v1';
const SECRET_KEY = 'sk_live_5K2pX7nQ';
fetch(API_URL + '/auth', {
    headers: { 'X-API-Key': SECRET_KEY }
});
Encrypted
const API_URL = _s(0x1a3f);
const SECRET_KEY = _s(0x2c12);
fetch(_s(0x1a8e), {
    headers: { [_s(0x3001)]: SECRET_KEY }
});

Use cases

When to use string encryption

String encryption is a base layer worth applying to almost every application. It matters most when your code contains:

  • API endpoints and service URLs.
  • Configuration keys, feature flags, and identifiers.
  • Messages or text that reveal how the application works.

It pairs with name obfuscation and control flow obfuscation: names, structure, and data are the three things an attacker reads, and these three protections cover all of them.

Platform availability

String encryption across platforms

  • .NET

    Encryption of string and constant literals.

  • JavaScript

    String array encoding and encryption of literals.

  • Android

    String literal encryption, decrypted at runtime.

  • iOS

    String encryption in the compiled binary.

Related

Related Shield protections

Frequently asked questions

What is string encryption?
String encryption is a technique that encrypts the text literals in your code and decrypts them at runtime only when needed, so the readable strings cannot be extracted from the compiled application.
Does string encryption affect performance?
The impact is small. Decryption happens only when a string is used, and the operation is lightweight. The level is configurable.
Can encrypted strings still be recovered?
A determined attacker can observe strings in memory at the moment they are decrypted, which is why string encryption is layered with anti-debugging that makes runtime inspection harder.
What kind of strings should be encrypted?
API endpoints, configuration keys, identifiers, and any text that reveals how the application works. String encryption is a base layer for almost every app.
Which platforms support string encryption?
ByteHide Shield provides string encryption for .NET, JavaScript, Android, and iOS.
10,000+ developers and companies protect their applications with ByteHide

Protect your application with
ByteHide Shield

String encryption is one of more than 20 protections in ByteHide Shield. Apply it to your .NET, JavaScript, Android, or iOS application.

Start free
Book a demo
ByteHide runtime dashboard showing live threat monitoring and protection metrics