How can you protect info contained in an APK?
Question
I assume someone's built an APK decompiler..... What's the best practice to secure sensitive info (like auth parameters for a backend database)? I suppose some kind of middleware would work but that can't do good things for speed. What's the "right way"?
2 answers
solution1
2 2011-03-07 01:58:47
If you're writing an Andoid app and using AWS, strongly recommend you check out:
https://github.com/apetresc/awskeyserver
Author uses the AWS IAM (Identity and Access Management service) with Google App Engine to successfully protect authentication parameters. I imagine IAM will eventually be included in AWS' Android SDK but until then, this is a great option.
solution2
1 ACCPTED 2011-02-18 04:08:26
It's difficult to reverse-engineer Dalvik byte code; my understanding is that there's not a simple mapping back to Java byte code, much less to Java source, particularly if it's gone through ProGuard. However , auth parameters are usually data, not code, and that can be snooped for rather more easily. Moreover, someone interested in breaking your credentials has lots of other means of attack, including packet sniffing, that don't require recovering your source code. The comment by Anon is exactly right—don't trust the client.
As to best practices, you can use a public key encryption system, get credentials from the server, etc., to avoid putting sensitive info into the .apk file. Don't trust obfuscation or obscure byte code to keep your secrets. They won't.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.