Android设备上的加密信息（保护合理地从用户的访问） [英] Encrypt information on Android devices (protect reasonably from access by user)

问题描述

我们正处于一个Android应用程序，问答游戏，这是我们想缓存问题+答案，当用户离线的决策。这样做的问题是，我们需要从用​​户隐瞒这一数据，直到她已回答了问题。否则，作弊会很容易，这将损害游戏。那么可以提取所有问题+答案和自动提交答案服务器API。

We are in the making of an Android app, a quiz game, which we would like to cache questions + answers for when the user is offline. The problem with this is that we would need to withhold this data from the user until she has answered the questions. Otherwise, cheating would be very easy, which would harm the game. One could then extract all questions + answers and automatically submit answers to the server API.

最方便的方法是将检索从我们的服务器在安装时密钥或秘密，隐藏在某处，并将其用于与服务器通信，也为问题+答案存储加密。但很明显，它隐藏地方是不是安全的概念。

The most convenient way would be to retrieve a key or secret from our server at installation time, hide it "somewhere", and use it for communication with the server, and also for the encryption of questions + answers in storage. But obviously, hiding it "somewhere" is not a secure concept.

我研究了一下，似乎是可靠的加密是不可能在这样的情况下，因为应用程序必须知道的秘密（无论是证书，密码+盐，或其他），或至少它可以发现，并且这可以通过编译被提取。但是，我们将与它的罚款是够硬做。

I have researched a bit, and it seems that reliable encryption is not possible in such cases, because the app has to "know" the secret (be it a certificate, passphrase + salt, or whatever) or at least where it can be found, and this can be extracted by decompilation. However, we would be fine with it being hard enough to do.

现在的问题是：你知道的方法，使之望而却步很难普通用户检索的APK一个秘密 - 即，使其几乎不可能写一个自动键提取

我最好的猜测至今：

• 隐藏在数据库中的一些信息，并用它作为盐的关键
• 从装置添加的信息数比特作为盐（IMEI，电子邮件地址，序列号，...） - ？也许连同混淆如何将盐施加可能很难的方式获得

推荐答案

您可以使用每一个问题，这就要看答案previous问题单独的密钥。所以这是不可能的解密问题2，除非你已经回答的问题1。

You could use a separate key for each question, which depends on the answer to the previous question. So it's impossible to decrypt question 2 unless you've already answered question 1.

这篇关于Android设备上的加密信息（保护合理地从用户的访问）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！