安全地存储api凭证 [英] store api credential securely
问题描述
我如何安全地存储API凭据(例如身份验证密钥,谷歌地图API密钥),目前我已将该凭据存储在strings.xml.KeygenratorSpec中,所以最低API级别要求为23,是否可以安全地存储任何帮助,这将对您有所帮助我被困了两天,却一无所知.
how can I store API credentials like authentication key, google map API key securely, currently I have stored that credentials in strings.xml.KeygenratorSpec requires minimum API level of 23 is there any way to store securely any help will be more helpful I am stuck since 2 days but no idea.
推荐答案
简短的回答:您无法做到.
Short answer: you can't do it.
更长的答案:可以使用混淆来使查找API凭证变得困难,但是仍然,有足够时间和一些技能的人会找到并破坏它.使用KeyGenerator也无济于事.我假设您打算加密/解密API凭据.您仍需要将密钥存储在应用程序中或由应用程序检索.因此,仍然存在相同的问题,有人只需要再找到一个字符串就可以访问您的凭据.
Longer answer: You can use obfuscation in order to make it difficult to find the API credentials, but still, someone with enough time and a few skills will find it and break it. Using KeyGenerator will also not help. I am assuming that you were planning to encrypt/decrypt the API credentials. You will still need a key to be stored in or retrieved by your application. So, the same problem still remains, someone will just have to find one more string before being able to access your credentials.
迷惑可能是您最好的机会.当然,它不是防弹的,但如果它足够复杂,则可能会延迟或使试图破坏您的应用程序的人失去动力.您可以使用proguard来混淆您的应用程序代码(如果您不想为更高级的东西付费),但是不会混淆字符串.您将不得不使用其他技术.您可以在线找到大量示例,也可以使用自己的混淆层.我认为您不会为此找到任何好的建议或标准.当然,无论您多么努力,恢复还原还是一个时间问题.
Obfuscation is probably your best chance. Of course it's not bullet proof, but if it's complicated enough it might delay or demotivate someone who is trying to break your application. You can use proguard to obfuscate your application code (if you don't want to pay for something more advanced), however it will not obfuscate strings. You will have to use other techniques for that. You can find plenty of examples online, and you can use your own layers of obfuscation as well. I don't think that you will find any good recommendations or standards in order to do it. Of course, no matter how hard you try, it will still be a matter of time for someone to revert.
这是配置proguard的很好的教程: http://wiebe-elsinga.com/blog/obfuscating-for-android-with-proguard/(请小心包含的内容,否则在生成apk时可能会崩溃)
This is a good tutorial for configuring proguard: http://wiebe-elsinga.com/blog/obfuscating-for-android-with-proguard/ (be careful what you include because otherwise you might get crashes when you generate an apk)
关于字符串混淆,您可以使用与此类似的东西: https://github.com/efraespada/AndroidStringObfuscator,但是您仍然需要一些密码,因此可以解密.如果将现有字符串用作密码(您已经在应用程序中使用了该字符串),那么如果将其与代码混淆结合使用,可能会使某些人感到困惑.将字符串的各个部分隐藏在各种文件/资源中,并在想要创建字符串时进行组合可能会增加混乱.但是,如果您将其设置得过于复杂,则可能很容易发现.例如,如果您的strings.xml仅包含1个加密字符串(不可读),则很有可能这是您要保护的字符串.遵循此将导致此信息.因此,我认为没有最佳/良好做法.您可以通过在线查找获得一些想法,但是我建议您自己判断隐藏它的最佳方法(不太明显)在哪里,这取决于您的代码和应用程序结构.但是无论如何,这只会欺骗没有经验的/懒惰的攻击者和自动化工具.
Regarding string obfuscation, you can use something similar to this: https://github.com/efraespada/AndroidStringObfuscator however you will still need some password, so decryption will be possible. Using an existing string as a password (one that you are already using in your app) might confuse someone if you combine it with code obfuscation. Hiding parts of the string in various files/resources and combining them when you want to create the string will probably add more confusion. However if you make it too complicated it might be easy to spot. For example if your strings.xml contains only 1 encrypted string (unreadable), there is a good chance that this is the string that you are trying to protect. Following this will lead to this information. So, in my opinion, there are no best/good practices. You can get a few ideas by looking online, but I would suggest you judge for yourself where is the best (less obvious) way to hide it, and this depends on your code and application structure. But anyway, this will only trick inexperienced/lazy attackers and automated tools.
我经常做的另一件事是,如果启用了调试,或者apk文件未由我自己签名,则不允许代码的某些部分运行.这些对策也不是防弹措施,但可能会削弱懒惰的攻击者的积极性.这是有关如何执行此操作及其他操作的很好指南:
Another thing that I do often is to not allow certain parts of the code to run if debugging is enabled, or when the apk file is not signed by myself. These countermeasures are not bullet proof either, but might demotivate a lazy attacker. Here is a good guide on how to do this and other things: https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
这篇关于安全地存储api凭证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
