凡敏感的全球信息存储，如Android应用程序API密钥？ [英] Where to store sensitive global information such as API keys in Android application?

问题描述

我需要存储在Android应用程序的一些敏感信息。如果我把它放在一个资源文件，看来，它是平凡的其他应用程序，以便能够浏览和读取该文件只需使用<一个href="http://developer.android.com/reference/android/content/pm/PackageManager.html#getResourcesForApplication%28java.lang.String%29">PackageManager.getResourcesForApplication().

I need to store some sensitive information in an Android application. If I put it in a resource file, it appears that it is trivial for another app to be able to browse and read that file simply by using PackageManager.getResourcesForApplication().

在哪里是把这样的信息，我们不希望人们能够很容易地窥探到正确的位置？

Where is the correct place to put information like this that we don't want people to be able to easily snoop?

应该是在编译的Java文件？或者是类文件也易于阅读？另外，如果他们在java文件，是有可能从需要它们（例如对于谷歌地图API密钥）？

Should it be in a compiled java file? Or are classfiles also easily readable? Also, if they're in java files, is it possible to reference them from XML files that need them (eg. for the google maps api key)?

推荐答案

您APK将从设备检索和四分五裂反正。 （毕竟，有些设备是植根。）不管你很难code在那里，无论在哪里，都会被发现和提取。当然，如果潜在的增益证实的努力。否则，安全通过隐匿，如混淆，可能是要走的路。

Your APK will be retrieved from the device and torn apart anyway. (After all, some devices are rooted.) Whatever you hardcode there, no matter where, will be found and extracted. Of course, if the potential gain substantiates the effort. Otherwise, security by obscurity, such as obfuscation, may be the way to go.

处理真正的秘密，应根据特别是密码的某种投入。

Handling real secrets should be based on some sort of input, notably passwords.

令人高兴的是，API密钥，如果作为他们应该，并不一定是真正的秘密。

Happily, API keys, if used as they are supposed to, are not necessarily a real secret.

这篇关于凡敏感的全球信息存储，如Android应用程序API密钥？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！