安卓：数据库是如何安全的包装与应用 [英] Android: How safe is database packed with application

问题描述

我想知道它是如何安全地与Android的应用程序打包数据库。可以将数据库的用户轻松访问？当我有数据库将数据，我不希望被用户误用被黑客攻击，目的是保护数据库的移动应用程序的最佳方法是什么？

I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data which I dont want to be hacked by users for misuse, what is the best way to protect the database in mobile apps?

另外我的应用程序将使用Web服务（联系我自己的网站），例如： HTTP：\ www.mysite.com/services/xxx

Also my application would use web service(contacting my own website) e.g. http:\www.mysite.com/services/xxx

我的网站将依次一些数据返回给移动应用程序。如果有人反编译java的code（在APK），他很容易就会进入我使用的Web服务的URL。我该如何保护我的数据放在网站受到恶意用户的攻击。如果有人得到了解的URL，他可以简单地输入浏览器的URL，并得到JSON格式的，我不想因为这些数据可以是相当敏感的所有数据。即使我把它连接codeD，然后用户可以了解从Java code（这是他的反编译APK后获得）的编码。

My site will in turn return some data to the mobile app. If someone decompiles the java code(in apk), he will easily get access to the URL i am using for web service. How can i protect my data on website to be attacked by malicious users. If anyone gets to know the URL, he can simply type that URL in browser and get all data in json format which i dont want as that data can be quite sensitive. Even if I keep it encoded, then the user can get to know the encoding from the java code(which he gets after decompiling apk).

如何保持我的数据库安全被滥用？

How to keep my DB safe from being misused?

如果我的应用程序是显示当地场所如餐厅，酒吧等在移动，我应该始终从网站上使用Web服务，获取它们或提供本地数据库这些细节，使信息可以迅速获取。在这种情况下，我可以提供一个更新Web servcie将更新本地数据库。但本地数据库的安全性是非常关注我。

If my application is to show the local places like restaurants, bars etc on mobile should i always fetch them from the website using web service or provide a local database with these details so that information can be fetched quickly. In this case , I can provide a UPDATE web servcie which will update the local database. But security of local DB is of great concern to me.

任何人都可以请建议必须保持在DB和如何保障呢？

Can anyone please suggest where to keep the DB and how to safeguard it?

RGDS， 萨班

推荐答案

本地数据库和您的APK文件可以通过任何设备扎根轻松读取。 这个工具甚至可以反编译你的资源中的此YouTube教程（我从来没有试过，我自己其实）。

Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).

所以，你必须存储你的数据加密的数据库和解密，形成你的应用程序code，以确保没有人可以通过简单地获取数据库构成了数据他设备的目录。

So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.

您不应该把你的敏感数据（如密码等）的资源文件夹，因为它可以反编译，把它放在你的code。

You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.

现在有些话你的JSON API。隐藏URL是不够的，因为用户可以通过嗅探器轻松地跟踪您的请求，并得到反正。你应该提供一个身份验证机制，以保护未经授权的访问，也受SSL保护你的沟通。 （例如，使用 HTTP认证 - 使得当服务器提供SSL只能意会）

Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)

这是事情，你应该想想，决定自己的数据其实是多么敏感。

This are the things you should think about and decide yourself how sensitive your data actually is.

这篇关于安卓：数据库是如何安全的包装与应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！