优良作法:如何在android/java中处理密钥库密码? [英] Good Practice: How to handle keystore passwords in android/java?
问题描述
假设密钥库的密码不是由用户密码提供的或未绑定到用户密码(这或多或少意味着它只是某处代码中的String或Array []),是否足以保护它,或者很难从字节码中提取出来?
Assuming that a password for a keystore is not supplied by or bound to a user password (which more or less means its just a String or Array[] in the code somewhere), is it a sufficient protection that it just cannot or can only hardly be extracted out of the bytecode?
我知道密钥库(JKS/BKS)的密码仅用于验证密钥库的完整性.此外,完全清楚的是,我必须假设某个应用程序在或多或少受信任的环境中运行才能安全".但是无论如何,是否可以仅从apk文件提取密码?
I know that the password for a keystore (JKS / BKS) is just used to verify the integrity of the keystore. Furthermore it is totally clear that I have to assume that an application runs in a more or less trusted environment to be "secure". But anyhow, is it possible to extract the password just from the apk file?
在应用程序源中对任何密码进行硬编码只是感觉不对,所以也许有一些想法,如何使它实际上减少威胁. 例如.在安装应用程序期间在外部配置文件中配置密码或随机生成密码会更好(然后将密码存储在何处)?
It just feels wrong to hardcode any password within the source of an application, so maybe there are some ideas, how to make it actually less threatening. E.g. would it be better to make the password configurable within an external configuration file or generate it randomly during installation of the app (and where should it then be stored)?
推荐答案
这是否足以保护它不能或几乎不能从字节码中提取出来?
is it a sufficient protection that it just cannot or can only hardly be extracted out of the bytecode?
足够"是一个主观术语;只有您才能确定自己的感觉足以满足您的需求.
"Sufficient" is a subjective term; only you can determine what you feel is sufficient for you.
是否可以仅从apk文件提取密码?
is it possible to extract the password just from the apk file?
是的,因为可以对APK文件进行反编译,可以嗅探未加密的网络对话,等等.
Yes, as APK files can be decompiled, unencrypted network conversations can be sniffed, etc.
如何降低威胁程度
how to make it actually less threatening
您可以购买DexGuard的许可证并使用它,因为它将加密诸如密码之类的硬编码字符串.是否值得进行额外的防御是您的决定.
You can buy a license for DexGuard and use it, as that will encrypt hard-coded strings like your password. Whether that is worth the extra defense is your decision.
最好在外部配置文件中配置密码
would it be better to make the password configurable within an external configuration file
植根设备的任何人都可以访问该文件.
Anyone who roots the device could get at the file.
或在应用安装过程中随机生成(然后将其存储在哪里)?
or generate it randomly during installation of the app (and where should it then be stored)?
该文件将存储在至少对root用户可用的位置.
It would be stored somewhere that is available to rooted device users, at minimum.
这篇关于优良作法:如何在android/java中处理密钥库密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
