在APK固定字符串 [英] Securing string in APK
问题描述
我开发使用单为Android由Xamarin的Android应用程序。我目前努力增加使用谷歌API游戏在应用程序内购买功能。要做到这一点,我需要我的应用程序内发送谷歌公共许可证密钥。关于这个问题,谷歌提出以下建议:
I am developing an android app using Mono for Android by Xamarin. I am currently working on adding in-app-purchase capability using the Google Play API. To do so, I need to send Google the public license key from within my app. Regarding this issue, Google recommends the following:
安全建议:强烈建议您不要
硬code作为提供的准确的公共许可证密钥字符串值
谷歌播放。相反,你可以构建整个公共许可证密钥
串,对从子运行时,或从加密检索
存储,将它传递给构造函数之前。这种方法使得
更难恶意第三方修改的公众
许可证密钥字符串中的APK文件。
Security Recommendation: It is highly recommended that you do not hard-code the exact public license key string value as provided by Google Play. Instead, you can construct the whole public license key string at runtime from substrings, or retrieve it from an encrypted store, before passing it to the constructor. This approach makes it more difficult for malicious third-parties to modify the public license key string in your APK file.
我从来没有处理加密,黑客/破解或软件安全性等方面,所以我不知道如何实现谷歌的建议。我的问题是一个人如何的充分的固定在Android APK字符串使用Mono为Android做,而不必成为一个安全专家?
I have never dealt with encryption, hacking/cracking or any of other facet of software security, so I am not sure how to implement Google's advice. My question is how does one adequately secure a string in an Android APK made with Mono for Android without having to be a security expert?
推荐答案
不健全的太大胆,但我相信你可以放心地忽略他们的建议。他们暗示什么的保障福利是最小的最好的。
Not to sound too bold, but I believe you can safely ignore their suggestion. The security benefits of what they're suggesting are minimal at best.
有关更详细的讨论阅读:<一href=\"http://stackoverflow.com/questions/11671865/how-to-protect-google-play-public-key-when-doing-inapp-billing\">How保护做应用程式内开票当谷歌播放公钥
For a more detailed discussion read this: How to protect Google Play public key when doing InApp Billing
事实是,没有一种方法描述有完全安全的。如果有人决心要弄清楚你的公钥出来,他们会的。不管你做什么,公钥将最终传递到构造函数,因此,恶意用户可以随时在这一点上进行检查。所有的游戏,他们所提出的建议只是使这个有点难度,但绝对不是不可能的。
The truth is that none of the methods described there are perfectly secure. If someone is determined to figure your public key out, they will. No matter what you do, the public key will end up being passed to the ctor, so a malicious user could always examine it at this point. All the "games" they are suggesting are just making this a bit more difficult, but definitely not impossible.
我觉得你最好的选择是接受这对于它到底是什么。这关键是公开的一个原因,你需要忍受的事实,它可以很容易地受到损害。因为其他人在晚上睡觉也知道这一点,我不明白为什么你不应该也:)
I think your best bet is accepting this for what it really is. This key is public for a reason and you need to live with the fact that it could be compromised easily. Since everybody else sleeps well at night knowing this, I see no reason why you shouldn't as well :)
如果你真的不能入睡,想做点事..将在code密钥与前两个字符切换。然后在运行时,使用该键之前的两个字符切换回来。这应该是足够的,以保护自己免受暴力自动化攻击..智能攻击,你不能做任何事情。
If you really can't sleep at night and want to do something.. Place your key in your code with the first two characters switched. Then during runtime, switch the two characters back before using the key. This should be enough to protect yourself against brute force automated attacks.. Intelligent attacks you can't do anything about.
编辑:
如果你正在寻找保护您的code行业标准的方式,用商业混淆。这些工具被设计用于此目的。一些例子是单为Android,code混淆。确保使用功能齐全的商业版本,其中包括加密字符串。
If you're looking for an industry standard way to protect your code, use a commercial obfuscator. These tools are designed for this purpose. Some examples are Mono for Android, code obfuscation. Make sure to use fully featured commercial versions that include string encryption.
这篇关于在APK固定字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
