保密钥匙的秘密 - 在Android应用程序..任何想法 [英] Keeping secret key SECRET - within Android app.. any ideas
问题描述
我已经在我的Android应用程序之一mcrypt的加密和解密程序。这实质上是解密它是通过获取一个字符串。远程调用。自然的秘密钥匙被存储在了code,但任何人都apktool可以明显看到code,看到我的秘密密钥。
I have an mcrypt encryption and decryption routine within one of my Android apps. This is essentially decrypting a string which is fetched via. remote call. Naturally the "secret key" is stored within the code, but anyone with apktool can obviously see the code and see my secret key.
反正是有加密所有的Java code,所以即使去编译它不会是可读/理解?
Is there anyway to encrypt all the Java code so that even if de-compiled it would not be readable/understandable?
我听说ProGuard的,但是从阅读它,似乎并没有足够的用于此目的。
I've heard of ProGuard, but from reading about it, doesn't seem sufficient for this purpose.
推荐答案
您永远不应该把里面的code密钥。编译code可以很容易地逆向工程和任何一个调试器可以连接到创建实际的关键点。安全总是依赖于算法,假设在客户端code是公共的和潜在的攻击者有一个副本。
You should never put a secret key inside code. Compiled code can be easily reverse-engineered and anyone with a debugger can hook to the point where the actual key is created. Security always relies on the algorithm, it is assumed that the client code is public and a potential attacker has a copy.
隐藏在code文字只是拖延拿到钥匙的过程中,攻击者,但并不能prevent以任何方式。
Hiding literals in code just delays the attacker in the process of getting the key, but it doesn't prevent it in any way.
这篇关于保密钥匙的秘密 - 在Android应用程序..任何想法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
