安全和SQLite在android系统 [英] Security and SQLite in android
问题描述
我在开发Android的视频游戏。这将是一款在线游戏,这将保存在本地SQLite数据库用户的统计,成就,对象等。
I'm developing a video game for Android. It will be an online game, which would save user's statistics, achievement, objects, etc. in the local SQLite database.
有关安全的思考......我读了用户可以编辑保存在一个根深蒂固的Android设备的所有他/她的数据库。我不希望用户能够编辑游戏的数据库。
Thinking about the security... I read that a user can edit all his/her databases saved in a rooted Android device. I would not want the user to be able to edit the database of the game.
那么,我该怎么办?是否有任何选项使DB真的安全吗?密码?加密?
So, what can I do? Is there any option to make the DB really secure? Password? Encryption?
感谢
推荐答案
一个坚定的攻击者可以在设备上的任何数据得到的。如果你把它在数据库之前设备上的数据进行加密,那么你必须有设备和坚定的攻击者可以在存储在设备内存或持续的任何键得到钥匙。
A determined attacker can get at any data on the device. If you're encrypting data on the device before putting it in the database, then you have to have keys on the device and a determined attacker can get at any keys that are stored in the devices memory or persisted.
只有这样,加密还可以是如果既没有加密,也没有解密发生在不受信任的设备上 - 仅仅是存储。你可以你信任的机器上加密敏感数据存储加密位在数据库中,后来被你信任的机器解密。
The only way encryption would help is if neither the encryption nor the decryption happens on the untrusted device -- merely the storage. You can encrypt the sensitive data on a machine you trust, storing the encrypted bits in the database for later decrypting by a machine you trust.
您无法使用密码来保护任何这样。存储在设备内存或设备上坚持密码可以一样容易理解为私有密钥。
You can't use a password to secure this either. Passwords stored in the device memory or persisted on the device can be read as easily as private encryption keys.
如果你不在乎用户是否读取数据库的数据,但不希望他们能够写入数据,你可以有重要数据的签署通过可信的机器在存储之前。然后,如果该设备连接到受信任的机器,它可以检查签名以验证该临界数据没有被篡改。
If you don't care whether the user reads data from the DB, but don't want them to be able to write data, you could have critical data signed by a trusted machine before being stored. Then if the device connects to a trusted machine, it can check the signature to verify that that critical data has not been tampered with.
编辑:
除非你愿意去你不能相信一个不可信的设备上执行任何计算公平的非凡的长度 - 你能做的唯一一件事就是验证通过签名通过一个不可信赖的系统路由数据,并通过在通过加密通过它传递数据的不可信系统prevent窃听
You can't trust any computation performed on an untrusted device unless you're willing to go to fairly extraordinary lengths -- the only thing you can do is verify data routed through an untrusted system via signatures, and prevent eavesdropping by an untrusted system on data passing through it via encryption.
这篇关于安全和SQLite在android系统的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
