如何在 Android 中隐藏 API 密钥 [英] How to hide API Keys in Android
问题描述
我正在创建一个通过 API 连接到服务器的 Android 应用程序.我担心一个安全问题,就我而言,任何人都可以反编译您的 .apk 并查看或修改您的代码.
I'm creating an Android App which connects to a server through an API. I'm worried about a security issue, as far as I'm concerned, anyone can decompile your .apk and take a look or modify your code.
知道了,我需要将 API Keys 保存在应用程序中的什么位置,以避免某些坏人窃取它并访问服务器,例如修改我的数据库?
Knowing that, where do I need to save the API Keys inside the app in order to avoid some bad guy stealing it and access the server, for example, to modify my database?
谢谢
推荐答案
了解攻击者将如何追踪您的应用程序,95% 的情况下是这样的:
Understand how an attacker will go after your application, 95% of the time in this order:
使用诸如 Burp 之类的拦截代理来检查您的应用程序和服务器之间的流量——非常简单去做.看看我是如何在 Words With Friends 这里上做到的(这是针对 iOS 设备的,但同样的概念也适用于 Android).
Inspect traffic between your application and the server by using an intercepting proxy like Burp -- very easy to do. See how I did it on Words With Friends here (this was for iOS device but same concept works with Android).
您可以使用证书锁定,但是他们可以通过在设备上扎根并在 Android 上使用一些黑客工具来破坏它.所以你需要 Android 根检测.
You can stop traffic inspection with certificate pinning, but they can break that by rooting the device and using some hacker tools on Android. So you need Android root detection.
另一种攻击是扫描您的二进制文件.您需要使用 DexGuard 之类的工具对其进行混淆.
The other attack is scanning your binary. You will need to obfuscate it with a tool like DexGuard.
这些方法都不是防弹的:通常试图在客户端代码中隐藏秘密是输掉比赛.不要付出超过其价值的努力.
None of these methods are bullet-proof: generally trying to hide secrets in client code is a losing game. Don't put more effort into it than it is worth.
这篇关于如何在 Android 中隐藏 API 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
