简体繁体 English

在Android应用程序中隐藏加密密钥

[英]Hiding encryption key in Android Application

原文 2011-10-18 19:56:33 2 5 android/ encryption

I want to hide some data that is entered by user in user's phone encrypted. 我想隐藏用户在加密的用户手机中输入的一些数据。 As far as I know I can encrypt/decrypt data using a key/seed value, but if I hide the key value in code, I know it can be found somehow (eg decompiling the Java code). 据我所知，我可以使用键/种子值加密/解密数据，但如果我在代码中隐藏键值，我知道它可以以某种方式找到（例如反编译Java代码）。

Do you have any suggestions to make the process harder? 您有什么建议让这个过程更难吗？

5 个解决方案

It is impossible to hide the key in the app such that a resourceful hacker won't be able to pull it out. 在应用程序中隐藏密钥是不可能的，因此资源丰富的黑客无法将其拉出来。 You can try to obfuscate the key and make it difficult to find but it will always be do able. 您可以尝试对密钥进行模糊处理并使其难以查找，但它始终可以执行。

See this: https://www.excelsior-usa.com/articles/java-obfuscators.html#examples 请参阅： https ： //www.excelsior-usa.com/articles/java-obfuscators.html#examples

The best option would be to require your users to specify a PIN or password and to use that as the encryption key. 最好的选择是要求您的用户指定PIN或密码并将其用作加密密钥。 That way if the device is lost or stolen the key is still safe and it also prevents someone from decompiling your app and getting the encryption key for all instances of your application. 这样，如果设备丢失或被盗，密钥仍然是安全的，它还可以防止有人反编译您的应用程序并获取应用程序的所有实例的加密密钥。

One of the new features in Ice Cream Sandwich (Android 4.0) is the keychain API . 冰淇淋三明治（Android 4.0）的一个新功能是钥匙串API 。 From the Platform Highlights page (emphasis mine): 从平台亮点页面（强调我的）：

Android 4.0 makes it easier for applications to manage authentication and secure sessions. Android 4.0使应用程序更容易管理身份验证和安全会话。 A new keychain API and underlying encrypted storage let applications store and retrieve private keys and their corresponding certificate chains. 新的钥匙串API和底层加密存储允许应用程序存储和检索私钥及其相应的证书链。 Any application can use the keychain API to install and store user certificates and CAs securely . 任何应用程序都可以使用钥匙串API安全地安装和存储用户证书和CA.

如果您正在为用户名/密码数据执行此操作，则应该签出实施身份验证器。

Since android does not have any secure storage on it ( at least as of 2.2), you would have to write your own. 由于android上没有任何安全存储（至少从2.2开始），你必须自己编写。

The only way to do this really securely is to encrypt with a key derived from a user supplied password (PBKDF2/ RFc2898 being the way to that). 真正安全地执行此操作的唯一方法是使用从用户提供的密码派生的密钥进行加密（PBKDF2 / RFc2898就是这样）。 Crypto is only as secure as your key and if you store that on the phone in anyway, then someone can find it and use it. 加密只能像你的密钥一样安全，如果你把它存储在手机上，那么有人可以找到并使用它。 This allows you to have the user store the key without actually remembering a large AES key. 这允许您让用户存储密钥而无需实际记住大型AES密钥。

There may be libraries that do this for android. 有些库可以为android做这个。 I wrote one for windows phone that can be found here if you want some basis for how to do it. 如果你想要一些如何做的基础，我写了一个可以在这里找到的Windows手机。

If encryption/decryption all happens on the handset, a determined hacker will be able to crack it. 如果加密/解密都发生在手机上，那么坚定的黑客就能破解它。 You can make life harder by using obfustication, or (if appropriate for your application), adding user input into the encrypt/decrypt code. 您可以通过使用obfustication或（如果适合您的应用程序）将用户输入添加到加密/解密代码中来使生活更加艰难。

If your application requires network connectivity, it might be worth off-loading some of the code to a server running elsewhere, so that encrypted data lives on the device, but keys are downloaded at run-time. 如果您的应用程序需要网络连接，则可能需要将某些代码卸载到其他地方运行的服务器，以便加密数据存在于设备上，但是密钥会在运行时下载。 Still not hack-proof, but it reduces risks to confidential data on a stolen device. 仍然没有防黑客，但它降低了被盗设备上机密数据的风险。