保护Android应用免受逆向工程 [英] Protect Android App from reverse engineering
问题描述
我想100%保护我的应用,不希望黑客进入内部.
I want to secure my app 100% and don't want hackers to enter inside.
这些是我从Stack Overflow中找到的解决方案.
These are the solutions which I found from Stack Overflow.
-
在应用程序中集成 Proguard .
保留C/C ++中最重要的代码部分.
Keeping most important part of the code in C/C++.
使用NDK将代码本地写入.So文件.
Using NDK to write the code natively into .So file.
使用MD5加密api密钥.
Encrypting the api keys using MD5.
还有其他方法可以完全保护我的Android应用免受黑客攻击,或者是上述解决方案中最好的解决方案.
So is there any other way to protect my Android app fully from the hackers or which is best solution among the above mentioned.
这些是我找到的参考书
How to avoid reverse engineering of an APK file?
如何预防对Android APK文件进行反向工程以保护代码?
推荐答案
根本无法完全防止应用程序的反向工程.如果有足够的资源,程序最终将进行反向工程.这完全取决于对手的动机.
There is simply no way of completely preventing reverse engineering of your app. Given enough resources, programs do eventually get reverse engineered. It all depends on how motivated your adversary is.
将Proguard集成到应用程序中
Integrating Proguard in the app
对逆向工程最有效的应对措施是混淆.这就是Proguard所做的(但是,根据我的收集,不太好). Proguard的网站说它是一个优化器,并且只提供最小的保护.混淆只会使逆向工程的过程变得更困难.它不会阻止逆向工程.
The most efficient counter-mesaure against reverse engineering is obfuscation. That is what Proguard does (but, not too well from what I gather). Proguard's website says it is an optimizer and only provides a minimal protection againse RE. Obfuscation only makes the process of reverse engineering harder. It does NOT prevent reverse engineering.
保留C/C ++中最重要的代码部分.
Keeping most important part of the code in C/C++.
这是一个普遍的误解,认为以本机代码编写代码会阻止反向工程.用C/C ++编写将编译您的代码并将其编译为机器语言,与Java字节码相比,对机器语言进行逆向工程更难( ).但是,它仍然不能完全阻止它.
This is a general misconception that writing code in native code will prevent reverse engineering. Writing in C/C++ will compile and build your code to the machine language, which is harder to reverse engineer than Java bytecode. But, it still does not prevent it completely.
另外,用C/C ++编写代码,除非您是核心系统程序员,否则您就有更多的机会引入很多错误
Also, writing code in C/C++, unless you are a hardcore systems programmer, you have more chances of introducing a lot of bugs
- nasty segmentation faults
- memory leaks
- use after free
最重要的是,您可能最终在应用程序中引入了许多漏洞,从信息泄露到缓冲区溢出.
On top of all these, you might end up introducing a multitude of vulnerabilities in your app, from information disclosures to buffer overflows.
允许您自己管理内存的语言(如C/C ++)非常强大.因此,这也使脚部射击更加容易.这就是通常认为Java更安全的另一个原因(因为内存是由JVM在GC的帮助下管理的).
Languages which allow you to manage the memory yourselves(Like C/C++), are immensely powerful. So, it also makes it easier to shoot yourself in the foot. That is the another reason why Java is considered generally safer (since memory is managed by the JVM with the help of GC).
因此,除非绝对需要使用C/C ++编写代码(例如,您正在编写编解码器),否则请不要使用C语言编写(只是为了减轻逆向工程).
So, unless there is an absolute need to write code in C/C++ (say, you are writing a codec), please don't write in C (just to mitigate reverse engineering).
使用MD5加密api密钥
Encrypting the api keys using MD5
MD5是一种哈希算法,可将数据哈希为16个字节的字符串.并且它也被认为是坏的.您只能使用MD5进行哈希处理,而不能使用它进行加密.
MD5 is a hashing algorithm which hashes data into a 16 byte string. And it is also considered broken. You can only hash with MD5, not encrypt with it.
即使您使用诸如AES之类的算法对密钥进行加密,将来也需要将密钥存储在某个地方以对其进行解密.攻击者可以轻松地从程序内存(运行时)或持久存储中提取密钥,然后使用它来解密您的API密钥.
Even if you use encrypt your keys with an algorithm like AES, you will need to store the key somewhere to decrypt it in the future. The attacker can easily extract the key either from the program memory (while running) or from persistent storage and then use it to decrypt your API keys.
要防止反向工程代码的任何敏感部分,请将其移至远程服务器.说,您想出了一个很酷的算法,您不希望任何人进行逆向工程.
Any sensitive part of the code, which you want to prevent from reverse engineering, move it to a remote server. Say, you have come up with a cool algorithm which you do not want anyone to reverse engineer.
我建议在服务器上构建一个REST API,以接收来自客户端的数据,运行算法并返回结果.每当需要使用此算法时,都可以从应用程序对服务器进行REST调用,然后仅在应用程序中利用从那里获得的结果.
I would suggest, building a REST API in the server which accepts data from clients, run the algorithm and return the results. Whenever you need to make use of this algorithm, you can make a REST call to your server from the app, and then just make use of the results you get from there in your app.
所有敏感和机密数据(例如您的API密钥)也可以存储在服务器中,并且永远不会直接在应用程序中公开.
All sensitive and confidential data like your API keys can also be stored in the server and never exposed directly in the app.
这将确保您的代码的敏感部分不会泄露给对手.
This would make sure that your sensitive parts of the code is not disclosed to your adversaries.
这篇关于保护Android应用免受逆向工程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
