简体繁体 English

在Android APK中混淆资产

[英]Obfuscate Assets in Android APK

原文 2016-10-27 13:12:11 9 2 android/ android-studio/ obfuscation/ android-proguard

We can obfuscate android APK using Proguard in Android Studio which will obfuscate only java files in it. 我们可以在Android Studio中使用Proguard来混淆android APK，它会混淆其中的java文件。

Issue : I want to obfuscate my files stored in Assets folder also. 问题：我也想混淆存储在Assets文件夹中的文件。

Solution : We can use Dexguard which requires license and all. 解决方案 ：我们可以使用需要许可证的Dexguard。

Can some one point out any free/open source alternative? 有人可以指出任何免费/开源替代方案吗？

2 个解决方案

Short answer : The best alternative is for you to create your custom encryption system. 简短回答 ：最好的选择是创建自定义加密系统。

You can, under normal circumstances, run a gradle scrypt (before building the apk) that encrypts your files with a key that is only present on your computer. 在正常情况下，您可以运行gradle scrypt（在构建apk之前），使用仅存在于您的计算机上的密钥加密文件。

If your application has some sort of login system, as soon as you receive success from the login, you can retrieve the key from that same login response and decrypt the files. 如果您的应用程序具有某种登录系统，则只要您从登录中获得成功，就可以从同一登录响应中检索密钥并解密文件。

Keep in mind that you should pass the files into the Internal Storage of your application before decrypting ( as you cannot modify the contents of the files directly on the assets folder ). 请记住，在解密之前应将文件传递到应用程序的内部存储中（ 因为您无法直接在assets文件夹中修改文件的内容 ）。

If your application does not use the internet, and therefore you cannot obtain the encryption/decryption key through a service, you can store it on a bytearray or random named string. 如果您的应用程序不使用Internet，因此您无法通过服务获取加密/解密密钥，则可以将其存储在bytearray或随机命名字符串中。

It will under no circumstance prevent the app from being cracked and the files decrypted, but will for sure add another layer of difficulty to anyone who tries to hack it. 在任何情况下都不会阻止应用程序被破解并且文件被解密，但肯定会给试图破解它的任何人增加另一层难度。

In principle, if the information is visible to the regular user of the application, it must be visible to anyone attacking the .apk, and the .apk can obtain anyone with the same privileges as regular user. 原则上，如果应用程序的常规用户可以看到该信息，则攻击.apk的任何人都可以看到该信息，而.apk可以获得具有与普通用户相同权限的任何人。 So in case your app is for general public and available through google store, it's readable to anyone. 因此，如果您的应用适用于一般公众并且可以通过Google商店购买，那么任何人都可以阅读。 Obfuscation, encryption with local key, etc... all these will slow down attacker (or even hold up against weak attacker), but in principle if enough skilled attacker will invest enough effort into attack, he will break whatever you put there. 混淆，使用本地密钥加密等......所有这些都会减慢攻击者的速度（甚至抵御弱攻击者），但原则上如果足够熟练的攻击者会投入足够的精力进行攻击，他就会打破你放在那里的任何东西。

Obfuscation is just preventing low-level attackers from gaining access. 混淆只是阻止低级别攻击者获取访问权限。

( answer ) That said, you load your asset files in Java by yourself? （回答）那就是说，你自己用Java加载你的资产文件？

Then you can encrypt them with some key, which will be hardcoded + obfuscated inside the .java code, thus only people capable to disassemble .dex files and understand your key, will be able to decrypt your assets (or there's other way, taking control over VM running your .apk, wait till your application loads and decrypts the asset, and attack them by dumping it from VM in decrypted form, this may be sometimes easier, if the decryption code is really tricky and hard to understand). 然后你可以用一些密钥对它们进行加密，这些密钥将在.java代码中进行硬编码+混淆，因此只有能够反汇编.dex文件并理解你的密钥的人才能解密你的资产（或者以其他方式控制你的资产）在运行你的.apk的VM上，等到你的应用程序加载并解密资产，然后通过以解密形式从VM转储它来攻击它们，如果解密代码真的很棘手且难以理解，这有时可能更容易。

For any decent encryption use 3rd party library (feel free to mix it up with your own solution, but don't expect to create some strong cypher scheme on your own, takes quite some effort to create anything reasonably strong), actually java and Android has by default several "security" providers with common strong cypher schemes implemented. 对于任何体面的加密使用第三方库（随意与你自己的解决方案混合，但不要期望自己创建一些强大的密码方案，需要花费相当多的努力来创建任何相当强大的东西），实际上java和Android默认情况下，有几个“安全”提供程序实现了通用的强密码方案。

But if you don't want some information to leak, then never upload that information to user's device, and don't show it to user. 但是，如果您不希望某些信息泄露，则永远不要将该信息上传到用户的设备，也不要将其显示给用户。

For example - this is why the movie industry effort to protect movies is so funny.. they want both, which is in principle impossible, and they go great lengths to make it harder, which means the mankind wasted quite some money and effort on producing things like end-to-end encrypted HDMI playback and even the cable costs fortune as it can't be a simple cable of wires for this. 例如 - 这就是为什么电影业保护电影的努力是如此有趣......他们想要两者，原则上是不可能的，并且他们竭尽全力使其更难，这意味着人类浪费了相当多的钱和努力生产像端到端加密的HDMI播放，甚至电缆都要花钱，因为它不能成为简单的电缆。