堆栈内存溢出
  简体   繁体   English

逆向工程的安全性如何?

[英]How secure is proguard against reverse engineering?

 原文  2013-07-15 15:41:37       android/ security/ networking/ passwords/ proguard

问题描述

I will be working with very sensitive data in an app. 我将在应用程序中处理非常敏感的数据。 Obfuscation by my definition is not added security, it will only delay the cracker with finite time. 根据我的定义进行模糊处理不会增加安全性,只会在有限时间内延迟破解者。 Is it possible that Proguard does this so well it may be called added security? Proguard是否有可能做到这一点,它可能被称为增加安全性?

What is most sensitive are some network calls. 最敏感的是一些网络呼叫。 It will be hard to sniff the password because we will generate the password on both sides and check it's validity with timestamps. 嗅探密码很难,因为我们会在双方生成密码,并通过时间戳检查它的有效性。 Problem is the app may be reverse engineered and the generate algorithm may be exploited. 问题是app可能是逆向工程的,并且可以利用生成算法。

It is not possible to keep the algorithm locally in a file because with a rooted phone the cracker may be able to retrieve it. 不可能将算法本地保存在文件中,因为使用root电话,破解者可能能够检索它。 It does not work to download the algorithm from the server because the same problem applies here, if the cracker reverse engineer the app he/she will be able to see where the algorithm is taken from. 从服务器下载算法不起作用,因为这里同样的问题适用,如果破解者对应用程序进行逆向工程,他/她将能够看到算法的来源。

Any input on how to proceed is greatly appreciated! 任何有关如何进行的输入非常感谢!

Edit 编辑

What I am trying to protect is the generate algorithm so the cracker may not send a lot of data to our server. 我想要保护的是生成算法,因此破解者可能不会向我们的服务器发送大量数据。

1 个解决方案

解决方案1
 13 已采纳  2013-07-15 16:35:57

Generally, You can make the crackers life harder. 一般来说,你可以让破解者的生活更加艰难。 The harder you make it, the fewer will remain. 你做得越难,剩下的就越少。 Especially if the financial incentive is limited. 特别是如果财务激励有限。

Your code obfuscation options are: 您的代码混淆选项是:

  • Use proguard, it does a good job, not perfect of course, but good 使用proguard,它做得很好,当然不完美,但很好
  • Use DexGuard, which can make reverse engineering even harder, like by encrypting strings, or detecting code tampering 使用DexGuard,可以使逆向工程更加困难,例如加密字符串或检测代码篡改
  • Write critical parts in C 用C写出关键部分

Regardless of code obfuscation, make your network protocol also hard to mess around with: encrypt and sign messages, make sure messages can not be repeated (by using time or a sequence), and authenticate the client 无论代码混淆,使您的网络协议也难以解决:加密和签名消息,确保消息不能重复(通过使用时间或序列),并验证客户端

Don't save on disk any clear texts that are sensitive. 不要在磁盘上保存任何敏感的明文。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Android 中使用 R8 和 Proguard 时,如何从逆向工程中保护数据模型类? - How to secure data model classes from reverse engineering when using R8 and Proguard in Android? 如何设置ProGuard规则,使我的核心更难以进行逆向工程 - How to setup ProGuard rules to make my core harder for reverse engineering 如何防止Android APK文件的逆向工程以保护代码? - How to prevent reverse engineering of an Android APK file to secure code? 保护字符串不变以防逆向工程 - Protect string constant against reverse-engineering 如何通过隐藏或加密类文件来避免对APK文件进行反向工程和保护 - how to avoid reverse engineering APK file and secure by hiding or encrypting the class files PubNub安全反对某人逆向工程Android应用程序 - PubNub security against someone reverse engineering an android app Android:逆向工程如何工作? - Android: How do reverse engineering works? 如何解码android xml或XML的反向工程 - how to decode android xml or reverse Engineering of XML 如何保护 Arraylist 免遭逆向工程 - How to protect Arraylist from reverse engineering 如何避免对 APK 文件进行逆向工程 - How to avoid reverse engineering of an APK file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM