你怎么能保护包含在APK信息？ [英] How can you protect info contained in an APK?

问题描述

我以为谁家内置的APK反编译.....什么是保护敏感信息（如身份验证参数后端数据库）的最佳实践？我想，一些中间件会工作，但不能对速度做好事。什么是正确的方式？

I assume someone's built an APK decompiler..... What's the best practice to secure sensitive info (like auth parameters for a backend database)? I suppose some kind of middleware would work but that can't do good things for speed. What's the "right way"?

推荐答案

这是难以扭转工程师的Dalvik字节code;我的理解是，有没有一个简单的映射回Java字节code，更不用说Java源代码，特别是当它通过ProGuard的了。 然而，AUTH参数通常是数据，而不是code，并且可以更容易地窥探了相当。此外，有人有意破坏您的凭据有很多其他的攻击手段，包括数据包嗅探，不需要恢复源$ C ​​$ C。通过匿名的评论是完全正确和mdash;不要相信客户端

It's difficult to reverse-engineer Dalvik byte code; my understanding is that there's not a simple mapping back to Java byte code, much less to Java source, particularly if it's gone through ProGuard. However, auth parameters are usually data, not code, and that can be snooped for rather more easily. Moreover, someone interested in breaking your credentials has lots of other means of attack, including packet sniffing, that don't require recovering your source code. The comment by Anon is exactly right—don't trust the client.

至于最佳实践，您可以使用公共密钥加密系统，您可以通过服务器证书等，以避免将敏感信息进入的.apk文件。不要相信混淆或模糊的字节code，以保持你的秘密。他们不会。

As to best practices, you can use a public key encryption system, get credentials from the server, etc., to avoid putting sensitive info into the .apk file. Don't trust obfuscation or obscure byte code to keep your secrets. They won't.

这篇关于你怎么能保护包含在APK信息？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！