如何避免对 APK 文件进行逆向工程 [英] How to avoid reverse engineering of an APK file
问题描述
我正在为 Android 开发支付处理应用,我想防止黑客访问 APK 文件.
I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file.
如果有人将 .apk 扩展名更改为 .zip,那么他们可以解压缩它并轻松访问应用程序的所有资源和资产,并使用 dex2jar 和一个 Java 反编译器,他们也可以访问源代码.对 Android APK 文件进行逆向工程非常容易 - 有关更多详细信息,请参阅堆栈溢出问题 从 APK 文件到项目的逆向工程.
If someone changes the .apk extension to .zip then they can unzip it and easily access all the app's resources and assets, and using dex2jar and a Java decompiler, they can also access the source code. It's very easy to reverse engineer an Android APK file - for more details see Stack Overflow question Reverse engineering from an APK file to a project.
我使用了 Android SDK 提供的 Proguard 工具.当我对使用签名密钥库和 Proguard 生成的 APK 文件进行逆向工程时,我得到了混淆代码.
I have used the Proguard tool provided with the Android SDK. When I reverse engineer an APK file generated using a signed keystore and Proguard, I get obfuscated code.
然而,Android 组件的名称保持不变,一些代码,如应用程序中使用的键值,保持不变.根据 Proguard 文档,该工具无法混淆清单文件中提到的组件.
However, the names of Android components remain unchanged and some code, like key-values used in the app, remains unchanged. As per Proguard documentation the tool can't obfuscate components mentioned in the Manifest file.
现在我的问题是:
- 如何完全防止对 Android APK 进行逆向工程?这可能吗?
- 如何保护应用的所有资源、资产和源代码,使黑客无法以任何方式破解 APK 文件?
- 有没有办法让黑客攻击变得更加困难甚至不可能?我还能做些什么来保护我的 APK 文件中的源代码?
- How can I completely prevent reverse engineering of an Android APK? Is this possible?
- How can I protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way?
- Is there a way to make hacking more tough or even impossible? What more can I do to protect the source code in my APK file?
推荐答案
1.如何完全避免对 Android APK 进行逆向工程?这可能吗?
1. How can I completely avoid reverse engineering of an Android APK? Is this possible?
AFAIK,完全避免逆向工程没有任何技巧.
AFAIK, there is not any trick for complete avoidance of reverse engineering.
@inazaruk 也说得很好:无论你对代码做了什么,潜在的攻击者都能够以她或他认为可行的任何方式对其进行更改.您基本上无法保护您的应用程序不被修改.您在那里放置的任何保护都可以禁用/删除.
And also very well said by @inazaruk: Whatever you do to your code, a potential attacker is able to change it in any way she or he finds it feasible. You basically can't protect your application from being modified. And any protection you put in there can be disabled/removed.
2.如何保护应用的所有资源、资产和源代码,使黑客无法以任何方式破解 APK 文件?
2. How can I protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way?
不过,您可以使用不同的技巧来使黑客更难.例如,使用混淆(如果是 Java 代码).这通常会显着减慢逆向工程的速度.
You can do different tricks to make hacking harder though. For example, use obfuscation (if it's Java code). This usually slows down reverse engineering significantly.
3.有没有办法让黑客更难甚至不可能?我还能做些什么来保护我的 APK 文件中的源代码?
3. Is there a way to make hacking more tough or even impossible? What more can I do to protect the source code in my APK file?
正如大家所说,而且您可能也知道,没有 100% 的安全性.但是,Google 内置的 Android 的起点是 ProGuard.如果您可以选择包含共享库,您可以在 C++ 中包含所需的代码以验证文件大小、集成、等.如果您需要在每次构建时将外部本机库添加到 APK 的库文件夹中,那么你可以按照下面的建议使用它.
As everyone says, and as you probably know, there's no 100% security. But the place to start for Android, that Google has built in, is ProGuard. If you have the option of including shared libraries, you can include the needed code in C++ to verify file sizes, integration, etc. If you need to add an external native library to your APK's library folder on every build, then you can use it by the below suggestion.
将库放在默认为libs"的本地库路径中你的项目文件夹.如果您为 'armeabi' 目标构建了本机代码,则将其放入在 libs/armeabi 下.如果它是用 armeabi-v7a 构建的,那么把它放在下面libs/armeabi-v7a.
Put the library in the native library path which defaults to "libs" in your project folder. If you built the native code for the 'armeabi' target then put it under libs/armeabi. If it was built with armeabi-v7a then put it under libs/armeabi-v7a.
<project>/libs/armeabi/libstuff.so
这篇关于如何避免对 APK 文件进行逆向工程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
