安全地保存常数值 [英] Saving constant values securely

问题描述

我正在研究与安全数据通信有关的Android应用程序.我在应用程序中使用了一些常量值，并将它们保存在constant.java类中.我不希望对这些值进行逆向工程，但是即使我使用的是ProGuard for Android，对于专家来说，逆向代码也很容易.这些常量非常安全.我可以使用属性文件或res文件夹中的任何文件，但这种方法一点都不安全.

有人可以告诉我如何进行吗?有什么文件格式可以保存常量或防止对属性文件进行反向工程.是否有其他选项，例如将其保存为.py python文件格式并从Android代码中读取?

解决方案

从根本上讲，不可能安全地将秘密常量存储在设备上，因为黑客可以通过静态和动态分析对其进行反向工程.通过混淆值，您只能使其更加困难:

• 使用某种算法来计算它们，而不是按字面意义存储它们.即使是简单的算法也可能会增加提取常数所需的时间.
• 在整个代码中分配值的组成部分.
• 使用本机代码.至少在代码及其API足够大且复杂的情况下，通常更难以进行反向工程.
• 也许可以考虑使用白盒加密技术，该方法试图将常量密钥编入密码算法的实现中，从而无法提取常量密钥.这仍然是研究和高端商业解决方案的领域.

您可能会从我的演示文稿和斯科特·亚历山大·鲍恩(Scott Alexander-Bown)在伦敦Droidcon上的演讲. >

您还可以使用商业混淆器(例如ProGuard的扩展版) DexGuard 来强化代码为您提供了诸如字符串加密和类加密之类的技术.

保护的有效性取决于您可以投入的时间和精力，产品的价值，黑客愿意花费的时间和精力，他们的专业知识等.

类似的问题:在以下位置存储私有API密钥的最佳做法Android

(我是ProGuard和DexGuard的开发人员)

I am working on a Android application related to secure data communication. I am using a few constant values in my application, and am saving them in constant.java class. I don't want these values to be reverse engineered, but even though I am using ProGuard for Android, for experts it's easy to reverse the code. These constants are very secure. I can use properties file or any file in res folder but this approach is not at all secure.

Can anybody can tell me how to proceed? Is there any file format I can save my constants or prevent properties file from reverse engineered. Is there any option such as saving it in .py python file format and reading it from Android code?

解决方案

It is fundamentally impossible to securely store secret constants on a device, since hackers can reverse engineer them through static and dynamic analysis. You can only make it a bit more difficult, by obfuscating the values:

• Compute them with some algorithm, instead of storing them literally. Even a trivial algorithm may increase the time needed to extract the constants.
• Distribute the components of the values throughout the code.
• Use native code. It is generally more difficult to reverse engineer, at least if the code and its API are sufficiently large and complex.
• Maybe look into whitebox cryptography, which tries to weave constant keys into the implementations of cryptographic algorithms, in such a way that the constant keys can't be extracted. This is still the realm of research and high-end commercial solutions.

You might get some ideas that you can apply yourself from my presentation and from Scott Alexander-Bown's presentation at Droidcon in London.

You can also use a commercial obfuscator like the extended version of ProGuard, DexGuard, to harden code for you, with techniques like string encryption and class encryption.

How effective the protection is depends on the time and effort that you can invest, on the value of your product, on the time and effort that hackers are willing to spend, on their expertise, etc.

Similar question: Best Practice for storing private API keys in Android

(I am the developer of ProGuard and DexGuard)

这篇关于安全地保存常数值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！