在Android应用程序中哪里可以安全地保存静态信息? [英] Where to keep static information securely in Android app?
问题描述
在我的Andorid应用中,正在使用很少的密钥和令牌进行身份验证和初始化.我需要将这些静态密钥安全地存储在应用程序中的某个位置.同时,我还需要通过代码访问它.我知道现在使用的SharedPreference和Gradle变量.我也尝试过加密技术,但是随后我还必须存储secretKey以便解密.
因此,我正在寻找任何解决方法或适当的解决方案.任何帮助将不胜感激.
In my Andorid app, am using few keys and tokens for authentication and initialisations. I need to store these static keys somewhere in app securely. At the same time, I need to access it in code as well.
I am aware of SharedPreference and Gradle variables, which right now I use. I have tried Cryptography as well, but then I will have to store the secretKey also for decryption.
So, am searching for any workaround or proper solution. Any help will be highly appreciated.
推荐答案
您的问题
在Android应用程序中哪里可以安全地保存静态信息?
Where to keep static information securely in Android app?
无论在何处以及如何存储它们,因为从发布移动应用程序之时起,该应用程序上的任何秘密现在都属于公共领域.
No matter where and how you store them, because from the moment you release your mobile app, any secret on it belongs now to the public domain.
我也尝试过密码学,但是随后我还必须存储secretKey以便解密.
I have tried Cryptography as well, but then I will have to store the secretKey also for decryption.
您可以通过使用Android中的JNI/NDK接口将其隐藏在C代码中,从而使静态分析难以逆向工程,就像我在弗里达(Frida):
You can make this hard to be reverse engineered by static analysis by hiding it in the C code, using the JNI/NDK interface in Android, like I do in this Currency Converter Demo repo, but then if the attacker is not able to reverse engineer it this way, he will do it during run-time with an instrumentation framework, and a popular one is Frida:
将您自己的脚本注入黑匣子进程.挂钩任何功能,监视加密API或跟踪私有应用程序代码,不需要任何源代码.编辑,点击保存,立即查看结果.全部没有编译步骤或程序重新启动.
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
另一种替代方法是尝试在运行时计算秘密密钥,但随后Frida将再次钩住执行此操作的函数并从其返回值中提取秘密.
Another alternative it's to try to compute the secret keys at runtime, but then once more Frida will hook on the function that does this and extract the secret from it's return value.
可以在
请记住,这是一个简单的解决方案,但是即使是复杂的解决方案也容易受到攻击者使用的Frida脚本的攻击.</p>深度安全
Bear in mind this is a simple solution, but even a sophisticated one would be vulnerable to Frida scripts used by an attacker.
因此,我正在寻找任何解决方法或适当的解决方案.任何帮助将不胜感激.
So, am searching for any workaround or proper solution. Any help will be highly appreciated.
安全就是增加尽可能多的层次,以使攻击者花费大量时间来克服所有这些层次,并提高攻击者必需的技能门槛.
Security is all about adding as many layers as you can afford in order to make it time consuming for an attacker to overcome all of them, and to raise the bar for the skill set necessary by an attacker.
因此,使用C代码隐藏诸如解密密钥之类的机密,将加密的机密存储在Android密钥库中会丢掉孩子的脚本,但使您容易受到攻击者的攻击,他们知道如何使用Frida脚本来钩住您的代码.
So using C code to hide secrets, like the decryption keys, store encrypted secrets on the Android keystore will throw away the scripts kids, but will leave you vulnerable to attackers that know how to use Frida scripts to hook into your code.
在我的Andorid应用中,我很少使用密钥和令牌进行身份验证和初始化.
In my Andorid app, am using few keys and tokens for authentication and initialisations.
如果您尝试保护访问API的密钥,则可以阅读此问题,以了解实施移动应用证明概念将使您无需存储密码即可访问您的API服务器.出于初始化目的,我建议您将此逻辑移至后端,因为任何应用内决策都可以使用检测框架进行修改/绕过
If your are trying to secure the keys to access your API then you can read my answer to this question to understand that implementing the Mobile App Attestation concept will allow you to not need to store secrets to access your API server. For initializations purposes I would recommend that you move this logic to the backend, because any in app decisions can be modified/bypassed with instrumentation Frameworks
还考虑对所有代码库使用强大的混淆技术,这将在攻击者对移动应用程序进行反向工程的步骤中增加另一层难度.
Also consider using strong obfuscation techniques for all your code base, that will add another layer of difficulty in the attacker steps to reverse engineer your mobile app.
在回答安全问题时,我总是喜欢引用OWASP基金会的出色工作.
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
OWASP移动安全项目是一个集中式资源,旨在为开发人员和安全团队提供构建和维护安全移动应用程序所需的资源.通过该项目,我们的目标是对移动安全风险进行分类并提供开发控制措施,以减少其影响或利用可能性.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
移动安全测试指南(MSTG)是用于移动应用安全开发,测试和逆向工程的综合手册.
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于APIS
OWASP API安全项目旨在通过强调不安全API中的潜在风险并说明如何减轻这些风险来为软件开发人员和安全评估人员提供价值.为了实现此目标,OWASP API安全项目将创建并维护十大API安全风险"文档,以及用于创建或评估API的最佳实践的文档门户.
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
这篇关于在Android应用程序中哪里可以安全地保存静态信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
