How to prevent reverse engineering apk to get server login?
Question
I'm trying to find a way to make my Android app secure before releasing it. Currently I'm using https/ssl for server communication, with hidden password protected directories on the server that the app talks to. In those directories the app interfaces with PHP scripts that handle communication with the server data. My biggest vulnerability as I see it is the use of literal strings in the apk file to get access to the server password protected directories where the PHP scripts are. These literal strings could be detected by binary inspection or possibly attaching a debugger. What I've read so far is that it's not possible to obfuscate a literal string.
My question is, how can I prevent the discovery of the passwords to the hidden directories where the operating PHP scripts are? Alternately, what other approach should I be taking to keep server logins secure and reduce the chance of server attacks?
2 answers
solution1
3 2015-08-31 04:55:43
I think the best approach is to verify your app's signing certificate at run time. From that you don't need to hard-code any credentials in the app. currently Facebook SDK is using it. Please look at following.
solution2
0 2015-08-31 05:13:27
也许使用加密比不进行加密更有意义,您需要控制如何处理私钥。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.