如何在Android应用程序中保护字符串? [英] How to secure string in Android Application?
问题描述
如何在Android应用程序中保护字符串?
How to secure string in Android Application ?
-
ProGuard::它不保护字符串吗? Proguard是否可以混淆静态字符串常量?
ProGuard: It does not secure string? Does proguard work to obfuscate static string constants?
加密字符串:进行加密,我需要将加密密钥(字符串)存储在相同问题的某个位置,以及如何保护加密密钥.
Encrypt String: for Encryption I need to store encryption key (string) some where and again it's same issue, how to secure encryption key.
从Web服务获取字符串:,但是该解决方案对我不起作用,因为应用没有互联网要求/访问权限即业务/业务决策.
Fetch string from web service: But this solution will not work for me, as app don't have internet requirement/access that's requirement/business decision.
NDK:编写包含字符串的c文件并使用JNI返回,但是我发现Hex-Ray反编译可以反编译* .so文件 https://www.hex-rays.com/index.shtml
NDK: write c file which contain string and return using JNI but I found Hex-Ray decompile to decompile *.so file https://www.hex-rays.com/index.shtml
================================================ =
================================================
C函数
jstring Java_com_abc_xyz_getString(JNIEnv* env, jobject javaThis) {
return (*env)->NewStringUTF(env, "Hello String");
}
===================================
====================================
请提出一个最佳的方法来保护Android SDK/NDK中的字符串.
Please suggest a best option to secure string in Android SDK/NDK.
推荐答案
密钥保护和分发是密码学中的大漏洞.在您需要解密数据时,它必须位于某个可用位置.
Key protection and distribution is the big hole in cryptography. It has to be somewhere available at the time you need to decrypt the data.
因此,如果您的字符串是由使用该设备的某人输入的,则可以使用设备serial#/IMEI#/etc作为密钥.有点安全,但是反向工程并不困难.这将允许在无需用户输入密码的情况下在本地解密数据,但是将不允许以加密方式分发数据.
So, if your string is entered by someone using the device, you could use the devices serial#/IMEI#/etc as the key. Somewhat secure, but not that difficult to reverse engineer. That would allow for the data to be decrypted locally without the user putting in a password, but would not allow the data to be distributed encrypted.
如您所发现的,如果您尝试通过应用程序分发加密数据,则密钥必须是设备本地的密钥.没有与外界的通信链接,唯一的选择是在设备中或与应用程序用户一起.
If you are trying to distribute encrypted data with the application, as you have discovered, the keys must be someone local to the device. Without a communications link to the outside world, the only choices are in the device or with the applications user.
也许您可以为我们提供预期的工作流程,那么您会得到更多有用的建议吗?
Perhaps if you could give us the intended workflow, you could get more useful suggestions?
这篇关于如何在Android应用程序中保护字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
