简单的隐藏/ APK中的字符串混淆？ [英] Simple hiding/obfuscation of strings in APK?

问题描述

有时候，你需要存储的应用程序本身，如用自己的服务器进行通信的用户名/密码的密码。在这种情况下，它不可能按照存储密码的正常过程 - 即哈希密码，存储哈希，比较散列用户输入 - 因为你没有任何用户输入到哈希比较。密码需要由应用程序本身来提供。因此，如何保护在APK存储的密码？下面会像一个密码生成功能是相当安全的？

Sometimes you need to store a password in the app itself, such as a username/password for communicating with your own server. In these cases it's not possible to follow the normal process of storing passwords - i.e. hash the password, store the hash, compare to hashed user input - because you don't have any user input to compare the hash to. The password needs to be provided by the app itself. So how to protect the stored password in the APK? Would a password-generating function like the one below be reasonably secure?

纯文本：

String password = "$()&HDI?=!";

简单模糊处理：

private String getPassword(){
    String pool = "%&/@$()7?=!656sd8KJ%&HDI!!!G98y/&%=?=*^%&ft4%(";
    return pool.substring(4, 7) + pool.substring(20, 24) + pool.substring(8, 11);
}

我知道的ProGuard有一定的迷惑能力，但我很好奇什么上面的加密技术做时，它的编译，以及如何努力，这将是有人通过查看APK和/或使用看着办吧其他更复杂的技术？

I know ProGuard has some obfuscation capabilities, but I'm curious about what the above "obfuscation" technique does when it's compiled, and how hard it would be for someone to figure it out by looking in the APK and/or using other more sophisticated techniques?

推荐答案

TL;博士如果您在您的APK存储密码，并把它送给别人谁知道如何反编译它，他可以轻松地获取您的密码，不管你做了什么隐藏了。

tl;dr If you store a password in your APK and give it to somebody who knows how to decompile it, he can easily get your password no matter what have you done to "hide" it.

我知道的ProGuard有一定的迷惑能力，但我很好奇
  什么时候它的编译上面有哪些加密技术呢，
  这将是多么困难的人通过查看弄明白
  在APK和/或使用其它更复杂的技术？

I know ProGuard has some obfuscation capabilities, but I'm curious about what the above "obfuscation" technique does when it's compiled, and how hard it would be for someone to figure it out by looking in the APK and/or using other more sophisticated techniques?

我会告诉你它是多么容易，如果你已经知道该怎么做。这里是一个Android SSCCE 我们将编译：

I will show you how easy it is, if you already know what to do. Here is an Android SSCCE which we will decompile:

MyActivity.java ：

public class MyActivity extends Activity {

    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);

        TextView text = (TextView) findViewById(R.id.text);
        text.setText(getPassword());
    }

    private String getPassword() {
        String pool = "%&/@$()7?=!656sd8KJ%&HDI!!!G98y/&%=?=*^%&ft4%(";
        return pool.substring(4, 7) + pool.substring(20, 24) + pool.substring(8, 11);
    }
}

的main.xml ：

<?xml version="1.0" encoding="utf-8"?>
<TextView xmlns:android="http://schemas.android.com/apk/res/android"
          android:id="@+id/text"
          android:layout_width="fill_parent"
          android:layout_height="wrap_content"/>

编译并运行，我们可以看到后 $（）及？！HDI = 在的TextView 。

让我们反编译的APK：

Let's decompile an APK:

1. 解压myapp.apk 或者在APK单击鼠标右键，解压缩此处。
   classes.dex 显示文件。


2. 转换 classes.dex 与 dex2jar 。执行后， dex2jar.sh classes.dex ， classes_dex2jar.jar 文件
   出现。



3. 在使用 classes_dex2jar.jar 一些Java反编译器，例如的 JD-GUI ，我们检索这样的Java code从 MyActivity.class ：

1. unzip myapp.apk or right-click on the APK and Unzip here. classes.dex file appears.
2. Convert classes.dex to JAR file with dex2jar. After executing dex2jar.sh classes.dex, classes_dex2jar.jar file appears.

3. Using some Java decompiler on classes_dex2jar.jar, for example JD-GUI, we retrieve such Java code from MyActivity.class:

public class MyActivity extends Activity
{
    private String getPassword()
    {
        return "%&/@$()7?=!656sd8KJ%&HDI!!!G98y/&%=?=*^%&ft4%(".substring(4, 7) 
+ "%&/@$()7?=!656sd8KJ%&HDI!!!G98y/&%=?=*^%&ft4%(".substring(20, 24) 
+ "%&/@$()7?=!656sd8KJ%&HDI!!!G98y/&%=?=*^%&ft4%(".substring(8, 11);
    }

    public void onCreate(Bundle paramBundle)
    {
        super.onCreate(paramBundle);
        setContentView(2130903040);
        ((TextView)findViewById(2131034112)).setText(getPassword());
    }
}

ProGuard的不禁多，code将仍然易于阅读。

ProGuard can't help much, the code will be still easily readable.

根据以上情况，我已经可以给你一个答案了这个问题：

Based on the above, I can already give you an answer for this question:

下面会像一个密码生成功能合理
  安全吗？

Would a password-generating function like the one below be reasonably secure?

没有。正如你所看到的，它增加了通过一点点读反混淆code困难。我们不应该混淆code以这样的方式，因为：

No. As you can see, it increases difficulty of reading deobfuscated code by a tiny bit. We should not obfuscate the code in such way, because:

1. 这是开发人员的浪费时间。


2. 它减少了code的可读性和可维护性。

1. It is a waste of developer's time.
2. It decreases readability and maintainability of the code.

在官方Android文档，在安全与设计部分，他们建议是为了保护您的谷歌播放的公钥：

In the official Android documentation, in the Security and Design part, they're advising this to protect your Google Play public key:

要保持你的公钥的恶意用户和黑客攻击，不
  在任何code作为一个文字字符串嵌入。 相反，构造
  字符串在运行时从片或使用位操作（例如，
  与其他一些字符串XOR）隐藏实际的键。键本身
  不是秘密信息，但你不想很容易让一个
  黑客或恶意用户替换为其他的公钥。

To keep your public key safe from malicious users and hackers, do not embed it in any code as a literal string. Instead, construct the string at runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want to make it easy for a hacker or malicious user to replace the public key with another key.

好吧，让我们试试：

@Override
public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main);

    TextView text = (TextView) findViewById(R.id.text);
    text.setText(xor("A@NCyw&IHY", "ehge13ovux"));
}

private String xor(String a, String b) {
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < a.length() && i < b.length(); i++) {
        sb.append((char) (a.charAt(i) ^ b.charAt(i)));
    }
    return sb.toString();
}

给出 $（）及？！HDI = 在的TextView ，好

反编译的版本：

public void onCreate(Bundle paramBundle)
{
    super.onCreate(paramBundle);
    setContentView(2130903040);
    ((TextView)findViewById(2131034112)).setText(xor("A@NCyw&IHY", "ehge13ovux"));
}

private String xor(String paramString1, String paramString2)
{
    StringBuilder localStringBuilder = new StringBuilder();
    for (int i = 0; (i < paramString1.length()) && (i < paramString2.length()); i++)
      localStringBuilder.append((char)(paramString1.charAt(i) ^ paramString2.charAt(i)));
    return localStringBuilder.toString();
}

非常类似的情况像以前一样。

Very similar situation like before.

即使我们有非常复杂的功能 soStrongObfuscationYouGetBlind（），我们总是可以复制粘贴反编译code，运行它，看看它是什么生产。或调试它一步一步的。

Even if we had extremely complicated function soStrongObfuscationYouGetBlind(), we can always copy-paste decompiled code, run it and see what is it producing. Or debug it step-by-step.

这篇关于简单的隐藏/ APK中的字符串混淆？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！