在android中使用JDBC安全可靠吗?
[英]Is it safe and secure to use JDBC in android?
问题描述
I have this for a long time in my mind, but I can't find the answer yet. 
我已经在脑子里想了很久,但是我找不到答案。 I have a MySQL database and I would love to connect my android application to it by using JDBC . 我有一个MySQL数据库,我想使用JDBC将我的android应用程序连接到它。 The question is, how secure it will be. 问题是,它将有多安全。 The SQL injection is not a problem while using the prepared statements and escaping everything, but, if the application get cracked and the source codes decompiled, can the potential hacker see the connection parameters like the link to the database, username and password? 在使用准备好的语句并转义所有内容时,SQL注入不是问题,但是,如果应用程序被破解并且源代码被反编译,潜在的黑客能否看到连接参数,例如到数据库的链接,用户名和密码?
Is it secure to use JDBC on android devices, or it is unsecure and unsafe? 在android设备上使用JDBC是否安全,还是不安全和不安全?
If not, what do you suggest as the safest way to connect to a MySQL database, or a webservice is still the best option for now? 如果不是,那么您认为什么是最安全的连接MySQL数据库的方式,或者Web服务仍然是目前的最佳选择?
2 个解决方案
解决方案1
2 2014-04-17 13:58:00
In case of mobiles there no such thing as perfect reception so you get dropped calls and missing data when the user moves in and out of good reception. 对于移动电话,没有完美的接收之类的东西,因此当用户移入和移出良好的接收信号时,您会掉线并丢失数据。
The JDBC protocol isn't designed to handle the complete/partial disconnect that occurs in mobile, especially when you are in the middle of a query. JDBC协议的设计目的不是处理移动设备中发生的全部/部分断开连接,尤其是当您处于查询中间时。 HTTP on the other hand at least allows you to design in your own retry mechanism as a failed HTTP request is just a failed HTTP request and not an exception bubbling up from the network layer/JDBC driver. 另一方面,HTTP至少允许您设计自己的重试机制,因为失败的HTTP请求只是失败的HTTP请求,而不是从网络层/ JDBC驱动程序冒出来的异常。
解决方案2
2 已采纳 2014-04-17 13:58:04
Hardcoding credentials into your app is pretty much a bad idea, because if someone who has some knowledge about this subject, actually will try cracking you app, and if your app manages some financial sensitive data, they actually will try triplify efforts. 将凭证硬编码到您的应用程序中几乎不是一个好主意,因为如果某个对此主题有一定了解的人实际上会尝试破解您的应用程序,并且如果您的应用程序管理一些财务敏感数据,他们实际上会尝试三倍地努力。
As far as security goes, in this kind of architecture it seems that a Asymmetric encryption algorithm is what best fits this kind of transactions, as you can hardcode/download each time you need the public key for encrypting messages and they'll be only decrypted by the server side using the private key. 就安全性而言,在这种架构中,似乎最适合此类事务的是非对称加密算法,因为每次需要加密消息的公钥时,您都可以硬编码/下载,并且仅对它们进行解密在服务器端使用私钥。
I'd recommend using a web-service with TLS encryption, it won't be 100% secure but at least it will harden things to crackers enough. 我建议使用带有TLS加密的Web服务,它不会100%安全,但是至少它会使事情变得更加艰难。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.