如何保护Android APK中存储的资产 [英] How to secure the assets stored in Android APK

问题描述

我相信已经提出了这个问题，但是我对他们的回答不满意，并在此处再次发布.

i believe this question is already asked but i am not satisfied with their answers and posting it again here.

有人可以告诉我如何保护我的android应用程序资产免受想要构建类似应用程序的模仿猫的侵害吗?

can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?

推荐答案

和往常一样，在便利性和安全性之间要进行权衡.您希望应用程序越安全，开发起来就越不方便.

As always there is a trade-off between convenience and security. The more secure you want your app the less convenient it will be for you to develop.

由于易于反编译，因此源代码本质上是不安全的，尤其是对于有根电话而言.为了保护您的源代码，您可以对代码进行混淆和/或加密，以防止反编译.不能完全确定哪些工具可用于Android，但我相信它将使您的构建过程复杂化.如果您只是进行混淆，反编译仍然可能，但是将更加困难，并且如果使用了高度混淆的话，可能会要求尝试反编译您的代码的人知道并理解Bytecode.

The source code is inherently insecure due to ease of decompiling especially with rooted phone. To protect your source code you can obfuscate and/or encrypt your code which will prevent decompiling. Not exactly sure what tools are available for Android, but I am sure it will complicate your build process. If you just obfuscate, decompiling may still be possible, but will be much more difficult and will likely require the person attempting to decompile your code to know and understand Bytecode if a strong level of obfuscation is used.

为了保护您的资产，我相信您唯一的选择是使用加密.再次，这将使应用程序和/或构建过程复杂化，具体取决于您实现的位置.

To protect your assets, I believe your only option is to use encryption. Again this will complicate the app and/or build process depending on where you implement.

即使您使用加密来保护资产，也必须在源代码中保护加密密钥.显然，如果您的加密密钥在源代码中为纯文本格式，那么使用哪种加密方案都没有关系，那么任何人都可以抓住密钥和您的资产进行解密.所有这些所做的只是增加了一个小篱笆来跳过.

Even if you use encryption to protect your assets, you must protect the encryption key within your source code. Obviously, it does not matter what encryption scheme you use if your encryption key is in plaintext in the source code then anybody can grab the key and your asset and decrypt. All this does is add one more small fence to jump over.

但是，如果您正确地保护了加密密钥并使用了良好的加密算法，则不必担心.但是，这是一个相当复杂的过程，很难在您的代码中使用密钥进行加密而不将其保留为纯文本格式.即使您没有在代码中将其保留为纯文本格式，也必须在某些时候将其保存在内存中才能执行解密.因此，如果有人可以在适当的时候连接调试器或转储内存，那么它将破坏密钥.当然，这需要一个更熟练的对手.

However, if you correctly protect the encryption key and use a good encryption algorithm you should have less to worry about. This is a fairly complicated process though, it is difficult to use a key for encryption within your code and not keep it in plaintext. Even if you don't keep it in plaintext within the code, at some point it must be in memory to perform decryption. So if somebody can attach a debugger or dump memory at the right time, it will compromise the key. Of course, this requires a much more skilled adversary.

总体而言，您需要确切确定担心谁会窃取资产.如果您担心普通的乔复制它们，那么您应该没事.如果您担心专业的黑客，脚本小子等如何获得对他们的访问权限，那么您可能就不走运了.

Overall, you need to decide exactly who you are worried about stealing your assets. If you are worried about the average Joe copying them, then you should be ok. If you are worried about a professional hacker, script kiddie, etc. gaining access to them then you are probably out of luck.

这篇关于如何保护Android APK中存储的资产的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！