在应用程序内结算的安全性 [英] In app billing security

问题描述

我已经完成了我开发的应用程序，用于应用程序计费V3。我的应用程序是考试的帮助应用程序，其具有被插入到数据库中的问题列表。这让我担心的事情是安全性超越ProGuard的有pretty的多一点东西。我的应用程序查询所购买物品的清单，这样存储的购买是没有问题的。

I've finished developing my app that uses in app billing v3. My app is an exam help app which has a list of questions which are inserted into a database. The thing that worries me is security as beyond proguard there is pretty much little else. My app queries the inventory for purchased items so storing purchases isn't a problem.

所以，第一个问题是有人可以反编译的应用程序（我已经完成），甚至使用ProGuard，你可以不会有太大困难检索所有的问题。

So the first issue is someone could decompile the app (which I've done) and even with proguard you can without too much difficulty retrieve all the questions.

接下来的事情是应用程序的公钥。这很容易被从我的应用程序，并根据开发者指南，这是我应该保持安全。

The next thing is the application's public key. This can easily be taken from my app and according to the developers guide, this is something I should keep secure.

不过，我真的不知道该如何实现任何形式的担保。甚至有多远，我应该去安全。如果没有一台服务器，如果我憋在设备上我承认这不会是完美的（远非如此），但我至少会像黑客而却步，而不是逗乐了。

However I really don't know how to implement any form of security. Or even how far I should go with security. Without a server, if I'm keeping everything on the device I recognise it won't be perfect (far from it) but I would at least like hackers to be deterred rather than amused.

所以基本上，问题是：

我应该使用的安全类型，以及如何使用它？只是指着我的经历一步一步来的链接，以便我能理解这将是惊人的。

What type of security should I use and how is it used? Just pointing me to links that go through it step by step so I can understand it would be amazing.

非常感谢你！

澄清：

没有涉及服务器。该数据存储在该应用。当库存查询（通过queryinventoryasync法）返回回来，如果库存是买还是不和这个运行每次应用程序启动。在应用程序内结算本身我presume是好的，我要求更多关于我自己的应用程序的应用公钥 - 我的意思以某种方式使这难以复制，但是目前我还刚刚破成15串，我只是增加他们给对方的运行但这是几乎没有任何好转那么就让它作为一个字符串。我想加密它在某种程度上只是不知道怎么办。

There is no server involved. The data is stored in the app. When it the inventory is queried (through the queryinventoryasync method) it returns back if an inventory is bought or not and this runs every time the app launches. In app billing itself I presume is okay, I'm asking more about my own application the application public key - I'm meant to somehow make that harder to copy but currently I have just broken it into 15 strings and I just "add" them to each other on runtime but that's barely any better then just having it as one string. I'd like to encrypt it somehow just don't know how.

推荐答案

好问题。

公钥上必须有设备以使用。一旦涉及设备上它不是真正的保护了。密钥本身已经不是秘密，但我们需要做的可能的替代是一个更艰巨的任务。

Public key must be available on device in order to be used. Once it comes on device it's not really protected anymore. The key itself is not a secret, but we need to make its possible replacement to be a more difficult task.

你可以做的是使用所谓的XOR加密。下面是一个例子，如果XOR加密器和解密方法。

What you can do is to use so called XOR encryption. Here is an example if XOR encrypter and decrypter methods.

public static String xorEncrypt(String input, String key) {
    byte[] inputBytes = input.getBytes();
    int inputSize = inputBytes.length;

    byte[] keyBytes = key.getBytes();
    int keySize = keyBytes.length - 1;

    byte[] outBytes = new byte[inputSize];
    for (int i=0; i<inputSize; i++) {
        outBytes[i] = (byte) (inputBytes[i] ^ keyBytes[i % keySize]);
    }

    return new String(Base64.encode(outBytes, Base64.DEFAULT));
}

public static String xorDecrypt(String input, String key) {
    byte[] inputBytes = Base64.decode(input, Base64.DEFAULT);
    int inputSize = inputBytes.length;

    byte[] keyBytes = key.getBytes();
    int keySize = keyBytes.length - 1;

    byte[] outBytes = new byte[inputSize];
    for (int i=0; i<inputSize; i++) {
        outBytes[i] = (byte) (inputBytes[i] ^ keyBytes[i % keySize]);
    }

    return new String(outBytes);
}

如何，你需要的是选择一个密码字符串（字符串键）和加密的公钥（字符串输入）使用它。这个加密的密钥可以保存在一个类中。当你需要你的真正的核心价值，你叫 xorDecrypt（），密码和公共（加密）密钥字符串。密码是你的地方在code储存过的字符串。正如我所说的，我们真的不保护它，但我们使它更难以找到和/或更换。

How what you need is to choose a password string (String key) and encrypt your public key (String input) using it. This encrypted key you can store in a class. When you need your real key value, you call xorDecrypt() with the password and public (encrypted) key string. Password is a string you store somewhere in your code too. As I said we do not really protect it, but we make it more difficult to find and/or replace.

您可以添加如何将加密的公钥和密码太多复杂的逻辑。这只是增加更多的复杂性，但不会给你任何保证密钥不会被解密。在任何情况下谷歌证实 XOR加密是聊胜于无。

You can add more sophisticated logic on how to combine encrypted public key and password too. This just add more complexity but won't give you any warranty your key wont be decrypted. In any case Google confirms XOR encryption is better than nothing.

4.3的Andr​​oid加入可用于存储公共密钥太一些更多的安全功能。该解决方案将需要服务器之间的通信和硬件支持，真正做到安全。这些都是钥匙链的改进和Android密钥库提供商

Android 4.3 added some more security features which can be used for storing public keys too. This solution will require a server communication and hardware support to be really safe. These are Key Chain enhancements and Android Keystore Provider.

这篇关于在应用程序内结算的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！