Context: We are putting some keys that does not expect any future changes or updates unless got compromise, originally these keys are in the server side but for this specific project we will not rely from REST API. We decided to put these keys in C++ and consuming it using JNI.
Currently we are now trying to decompile the APKs
Our question is where to locate and verify if the string constants in the C++ code is properly obfuscated, some says it can be found in .so files but cannot find it in the decompiled APK using JADX.
Once you have an apk file, you can for instance:
apk to zipNow, .so files are usually located inside the lib folder and in particular inside subfolders that matches the different architectures (like for instance armeabi-v7a, x86, x86_64 etc).
.so files cannot be decompiled with JADX since this tool is able to convert dex files into java source files instead.
My suggestion is to perform a simple search for the keys inside the files and if you don't find them you can try to decompile the .so file some c++ decompilers (but it might be a bit challenging).