简体繁体 English

你如何保护APK中包含的信息？

[英]How can you protect info contained in an APK?

原文 2011-02-18 03:51:06 4 2 java/ android/ apk

I assume someone's built an APK decompiler..... What's the best practice to secure sensitive info (like auth parameters for a backend database)? 我假设有人建立了一个APK反编译器......保护敏感信息的最佳做法是什么（比如后端数据库的auth参数）？ I suppose some kind of middleware would work but that can't do good things for speed. 我想某种中间件可以工作，但这对速度无法做好事。 What's the "right way"? 什么是“正确的方式”？

2 个解决方案

If you're writing an Andoid app and using AWS, strongly recommend you check out: 如果您正在编写Andoid应用程序并使用AWS，强烈建议您查看：

https://github.com/apetresc/awskeyserver https://github.com/apetresc/awskeyserver

Author uses the AWS IAM (Identity and Access Management service) with Google App Engine to successfully protect authentication parameters. 作者使用AWS IAM（身份和访问管理服务）与Google App Engine成功保护身份验证参数。 I imagine IAM will eventually be included in AWS' Android SDK but until then, this is a great option. 我想IAM最终将被包含在AWS的Android SDK中，但在此之前，这是一个很好的选择。

It's difficult to reverse-engineer Dalvik byte code; 很难对Dalvik字节码进行反向工程; my understanding is that there's not a simple mapping back to Java byte code, much less to Java source, particularly if it's gone through ProGuard. 我的理解是，没有简单的映射回Java字节代码，更不用说Java源代码，特别是如果它已经通过ProGuard。 However , auth parameters are usually data, not code, and that can be snooped for rather more easily. 但是，auth参数通常是数据，而不是代码，并且可以更容易地窥探。 Moreover, someone interested in breaking your credentials has lots of other means of attack, including packet sniffing, that don't require recovering your source code. 此外，有兴趣破坏您的凭据的人还有许多其他攻击手段，包括数据包嗅探，不需要恢复您的源代码。 The comment by Anon is exactly right—don't trust the client. Anon的评论是完全正确的 - 不要相信客户。

As to best practices, you can use a public key encryption system, get credentials from the server, etc., to avoid putting sensitive info into the .apk file. 对于最佳实践，您可以使用公钥加密系统，从服务器获取凭据等，以避免将敏感信息放入.apk文件中。 Don't trust obfuscation or obscure byte code to keep your secrets. 不要相信混淆或模糊字节代码来保守你的秘密。 They won't. 他们不会。