安全硬code在移动应用程序密码 [英] Safe to hard code a password in mobile app
问题描述
我有一个创建一个QR code这是一个Web服务器[用户名] + [用户名] [密码]的MD5哈希值。
其中[用户名]在当时登录的用户。
其中[密码]是一个系统的密码由本人和共同设置Web服务器和应用程式。
I have a web server that creates a QR code which is [username] + a md5 hash of [username][password]. Where [username] is the user logged in at the time. Where [password] is a system password set by me and common to web server and the apps.
我的Android / iPhone /黑莓/ Windows的应用程序会扫描这个QR code和使用[用户名]的QR code提供了哈希[密码],它会告诉我,QR $ C $ ç来自我的服务器。
My Android/iPhone/BlackBerry/Windows app will scan this QR code and use the [username] provided in the QR code to hash with [password] which will tell me that the QR code came from my server.
显然,如果有人要弄个[密码]然后他们可以创建QR codeS是不是来自我的Web服务器。所以,反正是有安全存储[密码]我的应用程序或可能有人反编译的.apk文件,并发现它在classes.dex?
Obviously if someone were to get hold of [password] then they could create QR codes that did not come from my web server. So is there anyway to safely store [password] in my app or could someone decompile the .apk and find it in classes.dex?
推荐答案
您能以某种方式混淆的密码,但最终这是通过隐藏唯一的安全。有人谁曾想当然可以反向工程了。
You can obfuscate the password somehow, but ultimately this is only security through obscurity. Someone who wanted to could certainly reverse engineer it.
您可能想看看公钥加密,以避免这种情况 - 即使有人获得公钥的访问,他们仍然无法用它来冒充你的服务器
You probably want to look at public key cryptography to avoid this - even if someone gets access to the public key, they still won't be able to use it to impersonate your server.
这篇关于安全硬code在移动应用程序密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
