Android应用程序安全 [英] Android App Security

问题描述

我想开发一个应用程序，其中用户数据非常敏感。我是新来的开发者，所以不知道这下面 技术所必需的安全或有效。请留下您的评论。先谢谢了。

1. 有关额外的安全性，我们才能避免市场（播放存储）并安装在个人设备上的应用程序。是否使它更安全？

2. 我必须将数据存储在设备上。我们怎样才能使数据保护，以便其他应用无法读取？

解决方案

1. 是的，你可以不使用谷歌Play应用安装的应用程序。这是否是更安全取决于您的安全要求。一般讲，它更安全的安装从谷歌市场中的应用比其他来源。如果你想避免任何形式的安装，你可以考虑使用/实现一个应用程序阻滞剂（如的的AppLock ）或Kiosk模式的应用程序（的型Surelock亭锁定）

   越少，应用程序安装在少潜在的攻击者（恶意软件，木马病毒，潜在有害程序），你有。所以从这个角度来看：是的，确实如此。但是，只要你没有root权限的设备的应用程序数据（数据库，preferences）是相当安全的反正。数据被写入到SD卡可以被加密

2. 在谈到无根设备：应用程序数据（preferences和数据库）保持在一个相当安全的方式。没有任何其他应用程序可以访问它。数据被写入到SD卡可以从任何其他应用程序，有权限读取 android.permission.READ_EXTERNAL_STORAG​​E 或 android.permission.WRITE_EXTERNAL_STORAG​​E 。你具有与本数据进行加密。

   纵观植根设备：你（几乎）没有机会去存储你的数据在一个安全的方式，因为用户/攻击者可以以分析完整的内存和存储安装任何工具。 几乎的手段，你可以尝试隐藏你的加密/解密算法一样好，就可以了，这样就很难解密的SD数据。到底它是努力破解你的密码只是一个问题。

PS 如果您想深入技术细节，你可以看看<一href="http://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&ved=0CFoQFjAD&url=http%3A%2F%2Fupload.evilzone.org%2Fdownload.php%3Fid%3D6999587%26type%3Dzip&ei=XH_iUr-CFsf6yAOt8ICgBw&usg=AFQjCNFKSp-aj14j0Lpus4h7hG4f1MDsXw&sig2=3eb0eNkuE5KTvR6LHowd7w"相对=nofollow>这本书。

PPS 只是想想以下情形：有人偷走了，根您的手机。在这种情况下，很容易为盗窃复制数据库并阅读一切都在你的表。让我补充：这是什么东西，可以很容易做到，造成现在大量的工具和手册生根存在于互联网;同样为以后访问的应用程序数据。

加密可以使它更难以读出应用程序，数据和 - 如果你问你的用户对每一个应用程序启动时的加密密码 - 它甚至可能是100％安全的（假设未存储在应用程序和应用程序的强密码未运行而盗窃窃取它）。当然，你必须选择一个强大的加密算法，以及（AES，Twofish的，...）。

不过，只要你不失去你的手机和电话的根源并非是你的数据是安全的 - 最有可能。我说的很可能的，因为有一些过去的漏洞，这使人们有可能获得系统级访问。

所以你看这很大程度上取决于你的需求和你的数据是多么的敏感。

I want to develop an app where User data is very sensitive. I am new to dev. so not sure this following techniques are necessary for security or efficient. Please leave your comment. Thanks in advance.

1. For extra security can we avoid market(play store) and install the app on individual device. Does it make it more secure?

2. I have to store data on the device. How can we make the data secured so other apps can't read it?

解决方案

1. Yes, you can install your app without using the Google Play app. Whether this is more secure depends on your security requirements. Generally spoken, it's much more secure to install apps from Google Market than from other sources. If you want to avoid any kind of installations, you could think of using/implementing an app blocker (e.g. AppLock) or a Kiosk mode app (SureLock Kiosk Lockdown)

   The less apps are installed the less potential attackers (malware, trojans, potential unwanted programs) you have. So from this perspective: yes, it does. However, as long as you don't have a rooted device the applications data (databases, preferences) is quite safe anyway. Data being written to the SD card can be encrypted.

2. Speaking about unrooted devices: application data (preferences and databases) is kept in a quite secure way. No other app has access to it. Data being written to the SD card can be read from any other app that has the permission android.permission.READ_EXTERNAL_STORAGE or android.permission.WRITE_EXTERNAL_STORAGE. You have to encrypt this data.

   Looking at rooted devices: you've (almost) no chance to store your data in a secure way, because the user/attacker can install any tool in order to analyze complete memory and storage. Almost means, you can try to hide your encryption/decryptions algorithms as good as you can, so that it will be hard to decrypt data on the SD. In the end it's just a matter of effort to crack your encryption.

p.s. if you want to dig into technical details, you could have a look at this book.

p.p.s. just think about the following scenario: someone steals and roots your phone. In this case it's easy for the theft to copy the database and to read everything in your tables. Let me add: this is something, that can be done very easily, 'cause nowadays lots of tools and manuals for rooting exist in the Internet; same for accessing app data afterwards.

Encryption can make it much more difficult to read out app data and - if you ask your user for the encryption password on every app start - it might even be 100% secure (assuming a strong password that is not stored in the app and the app is not running while the theft steals it). Of course you have to choose a strong encryption algorithm as well (AES, Twofish, ...).

However, as long as you don't loose your phone and the phone is not rooted your data is safe - most likely. I say most likely, because there were a number of vulnerabilities in the past, that made it possible to get system wide access.

So you see it depends strongly on your requirements and on how sensitive your data is.

这篇关于Android应用程序安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！