防范逆向工程的安全性如何? [英] How secure is proguard against reverse engineering?
问题描述
我将在应用程序中处理非常敏感的数据.按照我的定义,混淆并没有增加安全性,它只会在有限的时间内延迟解密器. Proguard是否有可能做得如此出色以至于可以称之为增加的安全性"?
I will be working with very sensitive data in an app. Obfuscation by my definition is not added security, it will only delay the cracker with finite time. Is it possible that Proguard does this so well it may be called added security?
最敏感的是一些网络呼叫.很难嗅出密码,因为我们将在两侧生成密码并通过时间戳检查其有效性.问题在于该应用程序可能会被反向工程,并且可能会利用生成算法.
What is most sensitive are some network calls. It will be hard to sniff the password because we will generate the password on both sides and check it's validity with timestamps. Problem is the app may be reverse engineered and the generate algorithm may be exploited.
不可能将算法本地保存在文件中,因为使用扎根电话,破解者可能会检索到该算法.从服务器下载算法无效,因为此处存在相同的问题,如果破解者对应用进行逆向工程,他/她将能够看到算法的来源.
It is not possible to keep the algorithm locally in a file because with a rooted phone the cracker may be able to retrieve it. It does not work to download the algorithm from the server because the same problem applies here, if the cracker reverse engineer the app he/she will be able to see where the algorithm is taken from.
非常感谢您提供任何有关如何进行的信息!
Any input on how to proceed is greatly appreciated!
修改
我要保护的是生成算法,因此破解者可能不会向我们的服务器发送大量数据.
What I am trying to protect is the generate algorithm so the cracker may not send a lot of data to our server.
推荐答案
通常,您可以使饼干的生活更加艰难.您越努力,将剩下的越少.尤其是在经济激励措施有限的情况下.
Generally, You can make the crackers life harder. The harder you make it, the fewer will remain. Especially if the financial incentive is limited.
您的代码混淆选项是:
- 使用proguard可以很好地完成工作,当然不是完美的,但是很好
- 使用DexGuard,这会使逆向工程更加困难,例如 通过加密字符串或检测代码篡改
- 用C语言编写关键部分
- Use proguard, it does a good job, not perfect of course, but good
- Use DexGuard, which can make reverse engineering even harder, like by encrypting strings, or detecting code tampering
- Write critical parts in C
无论代码混淆如何,都使您的网络协议也难以处理:对消息进行加密和签名,确保消息不能重复(通过使用时间或顺序)以及对客户端进行身份验证
Regardless of code obfuscation, make your network protocol also hard to mess around with: encrypt and sign messages, make sure messages can not be repeated (by using time or a sequence), and authenticate the client
不要在磁盘上保存任何敏感的明文.
Don't save on disk any clear texts that are sensitive.
这篇关于防范逆向工程的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
