stackoom
  简体   繁体   中英

How to hide public key on android?

 原文  2011-04-11 13:26:33       java/ android/ security/ key

Question

Android's security manual says that it is not safe to keep public key (used for Android market) just as a string and it should be hidden/encoded somehow. Can somebody please provide me with example how it can be done?

(I don't have separate server, so it can not be stored there)

Upd. Believe, this is quite common task related not to Android, but to other apps also.

3 answers

solution1
 1  2012-06-12 20:24:17

The relevant text from the page you linked to is this:

Important: To keep your public key safe from malicious users and hackers, do not embed your public key as an entire literal string. Instead, construct the string at runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want to make it easy for a hacker or malicious user to replace the public key with another key.

That's pretty much all you need to know. There's no harm in people knowing your public key, the potential harm here is that someone replaces the public key in your program with their own in an effort to divert in-app purchases to their own account.

They're suggesting that you make it more difficult for that attacker by storing the key in separate pieces or XORing the key with some other string. Now, instead of just pasting their key over yours, they have to figure out what transforms you're doing to the string and make their own key fit that pattern. This is more work and might deter casual attackers, but won't prevent someone who is really determined.

solution2
 0  2011-04-11 13:54:35

If you use the Keytool utility this is all done for you. You'll get a .keystore file on your local computer containing your private key(s) that is encrypted with a password; keep that file and the password secret and you're secure.

http://developer.android.com/guide/publishing/app-signing.html

In fact I believe the Android plugin for Eclipse even does all of this for you automatically.

solution3
 -3  2012-06-12 20:08:08

On the public key, you can hash it and save it as a hash value. Better yet would be to salt the hash value with something you would know when you need to get the hashed value back. May be something like user name, or ESN. Look at android.telephony.TelephonyManager.getDeviceId()

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Android public key encryption How to hide a public method? How to hide translator API key in android Android In App Billing public key in public repository how to make public key from string on android for JWE? Android - How to hide softkeyboard if EditText is empty on key press? How to know the public key type? How to convert public key to BigInteger How to convert PEM public key to DER public key? How to extract the public key algorithm from a String public key?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM