简体繁体 English

保护安卓应用程序

[英]Securing an android application

原文 2011-09-09 16:37:06 3 4 android/ ssl/ diffie-hellman

I have 'secured' the communication between my android application and a tls server providing a financial transaction service, currently in development.我已经“保护”了我的 android 应用程序和提供金融交易服务的 tls 服务器之间的通信，目前正在开发中。

The security credentials are stored in a BKS keystore included in the Android apk.安全凭证存储在 Android apk 中包含的 BKS 密钥库中。 The password to the keystore is visible in plain text in the application source:密钥库的密码在应用程序源中以纯文本形式可见：

keyStore.load(is, "passwd".toCharArray());

I am concerned that if someone was to reverse engineer the app, they would be able to impersonate another user and compromise the security of the service.我担心如果有人对应用程序进行逆向工程，他们将能够冒充另一个用户并危及服务的安全性。

I was wondering whether there is a fault in my implementation, if anyone else has this concern, and what the best method of securing against this possibility is.我想知道我的实现是否有错误，是否有其他人有这种担忧，以及防止这种可能性的最佳方法是什么。

4 个解决方案

Whenever you store security data on the client it can be compromised by reverse engineering.每当您在客户端上存储安全数据时，逆向工程都可能会破坏它。 You may try to obscure it in the code but determined hacker will figure it anyway.您可能会尝试在代码中隐藏它，但坚定的黑客无论如何都会弄清楚。 So the only way to make it more secure is not to have the password openly in the code.因此，使其更安全的唯一方法是不要在代码中公开密码。 May be you can just ask user for some pin code at the start of the application and use it to decrypt the password?也许您可以在应用程序开始时向用户询问一些密码并使用它来解密密码？

Are credentials stored in your app unique per user, ie every user gets it own apk with unique credentials?存储在您的应用程序中的凭据是否每个用户都是唯一的，即每个用户都拥有自己的具有唯一凭据的 apk？ If you only have one apk with same credentials then this is as good as no security.如果您只有一个具有相同凭据的 apk，那么这与没有安全性一样好。 Even worse, it gives false feeling of security.更糟糕的是，它给人一种虚假的安全感。

You (your employer) should really hire a security expert to design your system from security point of view.您（您的雇主）确实应该聘请安全专家从安全角度设计您的系统。

Here's what I'd do:这是我要做的：

App comes without security credentials.应用程序没有安全凭证。
Every user is generated security credentials on server.每个用户都在服务器上生成安全凭证。
Every user gets secret activation code which is generated in secure environment and delivered via alternative channel.每个用户都会获得在安全环境中生成并通过替代渠道交付的秘密激活码。 Preferably via snail mail.最好通过蜗牛邮件。 Activation codes are time-limited and can be used only one time.激活码有时间限制，只能使用一次。
On first use user types into app the activation code which enables a one-time download of credentials over a secure (https) channel.第一次使用时，用户在应用程序中输入激活码，该激活码可以通过安全 (https) 通道一次性下载凭据。
User provides password to encrypt the credentials while stored on device.用户提供密码以加密存储在设备上的凭据。
Every time the app is used user must provide this paswword.每次使用该应用程序时，用户都必须提供此密码。 If app is not used for some time the app must timeout the session and ask for password again when user wants access.如果应用程序有一段时间没有使用，应用程序必须使会话超时并在用户想要访问时再次询问密码。

But don't take my word for granted.但不要以为我的话是理所当然的。 You still need a security expert if there are financial transactions involved.如果涉及金融交易，您仍然需要安全专家。

I believe that Diffie-Hellman Key Exchange is what I was looking for.我相信Diffie-Hellman Key Exchange正是我想要的。 I'd rather not have to re-implement my own version of DH using a complicated process which involves the user.我宁愿不必使用涉及用户的复杂过程重新实现我自己的 DH 版本。

currently programming for a Processing company-目前正在为加工公司编程-

their are a set of rules and regulations for a transaction application -OR- a POS APP(Point Of Sale application)他们是交易应用程序的一套规则和规定 - 或 - POS APP（销售点应用程序）

the rules are listed online as PCI validation, a certain amount of security has to be issued or it will be a law suit from Visa,inc or Many other Company's.规则在网上列为 PCI 验证，必须发布一定数量的安全性，否则将成为 Visa,inc 或许多其他公司的法律诉讼。

about your Question, it doesn't follow PCI compliance as that is a security issue.关于您的问题，它不符合 PCI 合规性，因为这是一个安全问题。

please read the PCI compliance so that their is a complete understanding of Security, its not good to compromise Cardholder Data.请阅读 PCI 合规性，以便他们对安全性有一个完整的了解，这对损害持卡人数据是不好的。

:) :)