Android:逆向工程如何工作?
[英]Android: How do reverse engineering works?
问题描述
I want to be sure that my app's content is safe. 
我想确保我的应用程序的内容是安全的。 I have a password for encrypted database inside of my app and I just want to figure out if there are safe places in my project which can't be accessed by reverse engineering. 我的应用程序内部有一个用于加密数据库的密码,我只想弄清楚项目中是否存在安全的地方,而这些地方不能通过逆向工程进行访问。
And it would be great if u explain shortly how reverse engineering works. 如果您能尽快解释一下逆向工程的工作原理,那将是很棒的。 ThanQ. 谢谢。
And plz don't post links to ProGuard! 而且plz不要发布指向ProGuard的链接!
5 个解决方案
解决方案1
4 已采纳 2012-08-01 08:11:03
Any hard-coded value CAN be viewed by reverse engineering your app. 可以通过对应用程序进行反向工程来查看任何硬编码的值。
This includes passwords, urls, etc. 这包括密码,网址等。
In order to reverse engineer an android app, proceed with the following steps: 为了对Android应用程序进行反向工程,请继续以下步骤:
1- Rename your app's APK file to ZIP (eg myapp.apk -> myapp.zip) 1-将您的应用的APK文件重命名为ZIP(例如myapp.apk-> myapp.zip)
2- Open the zip file and retrieve the classes.dex file. 2-打开zip文件并检索classes.dex文件。
3- Use dex2jar to get a jar file from classes.dex 3-使用dex2jar从classes.dex获取jar文件
4- Use jd-gui to open the jar file and view your original code. 4-使用jd-gui打开jar文件并查看您的原始代码。
解决方案2
1 2012-08-01 08:09:06
Haawa, 哈瓦
If you are storing the password in your app as a static string, it is NOT safe. 如果您将密码作为静态字符串存储在应用程序中, 则不安全。 It is trivially easy to get to it, even if you are using ProGuard. 即使使用ProGuard,也很容易做到。 The best way to safeguard it is to not store it at all. 保护它的最好方法是根本不存储它。 Instead, if possible, have your app send a unique identifier of some kind to a server that validates the user (possibly using LVL), then the server hands back a DB password or the actual DB data itself (stored on the server). 相反,如果可能的话,让您的应用向服务器发送某种唯一的标识符以验证用户身份(可能使用LVL),然后该服务器将回发数据库密码或实际的数据库数据本身(存储在服务器上)。
If this is not possible, or if you don't have access to your own server, at least obfuscate the string in some way by storing it as a XOR'ed string or better yet, come up with your own function to obsfucate the string. 如果这是不可能的,或者如果您无法访问自己的服务器,则至少可以通过将其存储为XOR或更好的字符串来对字符串进行混淆,或者提出自己的函数来对字符串进行混淆。 NEVER have a line in your java code that looks like password = "mypass"; 您的Java代码中永远不会有一行看起来像password = "mypass";
解决方案3
0 2012-08-01 08:09:51
In reverse engineering : your .apk file Rename from .apk to .zip file , then abstract zip file and find your folder, 在逆向工程中:您的.apk文件从.apk重命名为.zip文件,然后提取zip文件并找到您的文件夹,
But You can not able for find .class file of your Project 但是您无法找到项目的.class文件
解决方案4
0 2012-08-01 08:10:11
Reverse engineering is more about recreating intellectual property by careful analyzing application's behavior aspects. 逆向工程更多地是通过仔细分析应用程序的行为方面来重新创建知识产权。 Regarding security matters, I think, social engineering should be of more concern to you 关于安全性问题,我认为, 社会工程学应该引起您的更多关注
解决方案5
0 2012-08-01 12:42:28
Others have explained the reverse engineering, so I will explain how you should encrypt the database. 其他人已经解释了反向工程,因此我将解释您应该如何加密数据库。
You should encrypt the database using the user's credentials (username and password or PIN) as the key. 您应该使用用户的凭据(用户名和密码或PIN)作为密钥来加密数据库。 When the user starts the application, they should be prompted for the credentials. 用户启动应用程序时,应提示他们输入凭据。 The key should not be hard coded. 密钥不应该硬编码。
This prevents an attacker from accessing the user's data without having the credentials. 这样可以防止攻击者在没有凭据的情况下访问用户的数据。
If you are trying to hide the data from everyone including the user, yet have the application be able to access it, then you have to store it on the server and only request the data that you're willing to show to the user. 如果您试图对所有人(包括用户)隐藏数据,但又让应用程序能够访问它,那么您必须将其存储在服务器上,并且仅请求您愿意显示给用户的数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.