Background:
I have an obfuscated C code. Obfuscation can only protect the algorithm logic, but cannot hide the variable values from dynamic analysis. I want to further hide some values (e.g., a char array) from memory debug.
Platform: mobile client-side (not related to remote server)
Assume I have a secret char array:
char secret[15] = {"hide this value"};
Is it possible to hide this value in this way:
Or any other ways?
If an adversary has the ability to freely examine the working memory of your program, such as via a debugger, then within the program there are no secrets from them. In particular, encrypting data in memory is not a reliable safeguard because you have to decrypt it to use it, at which point it can be easily be intercepted. But also, the decryption key must be somewhere in memory, where your adversary can find it, thereby obtaining the ability to decrypt your in-memory encrypted data at will.
Obfuscating your code is not a reliable safeguard, either. It may slow down your adversary, but with skill and / or good tools, they will sort out what's what in time. In fact, supposing that you strip debugging symbols from the executable and do not provide source code, the only obfuscation that even is visible is external function and variable names (so don't bother obfuscating anything else).
Protect sensitive data by not putting it in unprivileged hands in the first place. If you deliver data to an untrustworthy device or program, then you should consider it compromised.