在混淆代码中隐藏字符串 [英] Hiding strings in Obfuscated code

问题描述

我只是使用 proguard 混淆了我的 Android 代码，然后对其进行了反编译.有很多字符串我真的很想隐藏起来以免被窥探.当我反编译我的代码时，每个人都可以看到字符串……并更改.其中一个字符串是我的许可服务器的 URL，它们实际上可以更改 URL 以指向假服务器(因为我将向公众发布服务器代码).隐藏此类信息的最佳方法是什么?

I just Obfuscated my Android code using proguard and then decompiled it. There are a number of strings I would really like to hide from prying eyes. When I decompiled my code the strings were there for everyone to see...and change. One of the strings is a URL to my licensing server and they could in effect change the url to point to a fake server (as I will be releasing the server code to the public). What is the best way of hiding this sort of information?

另外，我注意到 R 类字符串都是随机数，但我在反编译代码中找不到 R 类.它在哪里?

Also, I noticed that the R class strings are all random numbers but I can't find the R class in the decompiled code. Where is it?

敌人的例子我看到了:new SimpleCursorAdapter(localActivity, 2130903058, localCursor, arrayOfString, arrayOfInt);

2130903058 是一个布局文件，但它引用的是什么?该数字没有任何意义，除非它指向某种地址.

2130903058 is a layout file but what is it referencing? The number means nothing unless it is pointing to some sort of address.

推荐答案

假设您对模糊而不是安全感到满意，那么您可以使用多种机制，但是像 proguard 这样的混淆器将无法帮助您.

Assuming you are happy with obscure rather than secure, there a number of mechanisms you could use, but obfuscaters like proguard are not going to be able to help you.

要实现这一点，您需要自己对字符串进行编码或加密，您使用的方法取决于您要防御的内容，如果您只是想躲避明显的检查，则编码可能就足够了(参见 android.util.Base64，http://developer.android.com/reference/android/util/Base64.html).请注意，编码绝不是安全的，它只会删除对您网站的明显引用.

To achieve this you will need to do encoding or encryption of the string yourself, the approach you use depends on what you are trying to defend against, if it you are just trying to hide from obvious inspection, than encoding may be sufficient (see android.util.Base64, http://developer.android.com/reference/android/util/Base64.html). Note that encoding is in NO WAY SECURE and all it will to is remove the obvious reference to your site.

如果你想防御更多的东西，那么你可以转向实际加密字符串，为此你可以通过 javax.crypto.Cipher 使用像 AES 这样的对称密码，http://www.androidsnippets.org/snippets/39/index.html 提供了一个不错的使用示例.同样，这对黑客来说比安全更烦人，因为您需要将密钥存储在 jar 中的某个位置，从而否定任何加密安全性.

If you are trying to defend against something more, then you could move to actually encrypting the string, to do this you would use a symmetric cipher like AES via javax.crypto.Cipher, http://www.androidsnippets.org/snippets/39/index.html provides a decent usage example. Again this is more annoying then secure to would be hackers, as you will need to store the key somewhere in your jar thus negating any cryptographic security.

为了更清楚地说明这一点，基本步骤是:

To make this clearer, the basic steps would be:

1. 使用已知密钥手动创建加密字符串.
2. 转换您的代码以使用此字符串的解密版本，例如:

之前:

public class Foo {
    private String mySecret = "http://example.com";

    ...
}

变成:

public class Foo {
    private String encrypted = "<manually created encrypted string>";
    private String key = "<key used for encryption";
    private String mySecret = MyDecryptUtil.decrypt(encrypted, key);

    ...
}

所有这些的(好的)替代方案是考虑使用第三方 drm 解决方案，例如谷歌提供的许可服务器 http://android-developers.blogspot.com/2010/07/licensing-service-for-android.html.这可能比你自己滚动的东西更安全，但受到与我上面描述的非常相似的限制.

A (good) alternative to all of this is considering using a third party drm solution such as the licensing server google provides http://android-developers.blogspot.com/2010/07/licensing-service-for-android.html. This may be more secure than something you roll your self, but is subject to very similar limitations to what I described above.

这篇关于在混淆代码中隐藏字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！