在 Android 应用程序中存储机密和凭据 [英] Storing secrets and credentials inside of an Android App

问题描述

我正在使用 AWS Cognito，我需要在我的 android 应用程序中的某处存储一些凭证和机密，以便稍后使用它们来登录/注册/注销用户.

I'm using AWS Cognito and I need to store some credentials and secrets somewhere inside my android app to use them later to sign in/sign up/log out the users.

一些消息来源建议将凭据存储在项目 gradle.properties 文件中.从那里，凭据将被检索为 BuildConfig.FIELD_NAME.我可以 100% 确定在逆向工程时无法从 apk 中提取那些吗?

Some sources suggested to store the credentials inside project gradle.properties file. From there the credentials will be retrieved as BuildConfig.FIELD_NAME. Can I be 100% sure that those cannot be extracted from the apk when reverse-engineering it?

我想到的另一种方法是使用非对称加密算法(使用公钥-私钥)加密凭据，并在需要时在运行时解密它们，但同样，我需要将公钥存储在我的应用程序中的某个位置，以便解密凭据.这再次不起作用，因为可以通过反编译 apk 提取公钥.

Another way i was thinking about was to encrypt the credentials using an asymmetric encryption algorithm (with public-private key) and decrypt them at runtime when needed, but again, I need to store somewhere inside my app the public key in order to decrypt the credentials. This doesn't work again, since the public key can be extracted decompiling the apk.

我对此进行了大量研究，但在这种情况下我没有发现任何帮助.几乎每篇文章都提到如何存储密码等凭据，但情况并非如此，因为我没有在运行时从服务器或任何地方检索我的机密和凭据.进行 API 调用以获取凭据又是一件坏事.

I've done a lot of researching about this but I found nothing to help me in this case. Almost every article was referring to how to store credentials like passwords, but that's not the same case since i'm not retrieving my secrets and credentials from a server or anywhere at runtime. Making an API call to get the credentials is again a bad thing.

那么，我怎样才能尽可能安全地做到这一点?我在等你的解决方案！谢谢

So, how can I do this as securely as possible? I'm waiting for your solutions! Thanks

密钥存储实际上不起作用，因为在将它们添加到密钥存储之前我必须从某个地方获取秘密

edit: Key store doesn't really work since I have to get the secrets from somewhere before adding them to key store

推荐答案

这实际上完全取决于您需要或希望您的应用程序的安全程度，以及这些凭据的敏感程度.由于无法从服务器端存储和检索它们，因此最好的办法是将它们嵌入代码中的某个位置.APK 可以非常轻松地反编译，因此您的凭据始终可以通过某种方式访问​​.真正的问题是您希望逆向过程有多困难.

This really all depends on how secure you need or want your app to be, and how sensitive are those credentials. Since storing and retrieving them from server-side is not an option, your best bet would be to embed them somewhere in the code. APKs can be decompiled really easily, thus your credentials will always be accessible some way or another. The real question is how difficult you want the reversing process to be.

从那里，凭据将被检索为 BuildConfig.FIELD_NAME.我可以 100% 确定在逆向工程时无法从 apk 中提取那些吗?

From there the credentials will be retrieved as BuildConfig.FIELD_NAME. Can I be 100% sure that those cannot be extracted from the apk when reverse-engineering it?

我 100% 确定它可以被检索:).Java 不会加密任何字符串，它们都将作为原始文本存储在 dex 文件中，准备进行 grep 处理.

I'm 100% sure it can be retrieved :). Java will not encrypt any strings, and they'll be all stored as raw text in the dex files, ready to be grep'd.

从那里开始，您的下一步将是使用静态密钥加密代码中的密钥.一些工具会为您做到这一点，例如 DexGuard、Dasho、Dexprotector——您也可以提出自己的解决方案.这篇文章 解释得很好.

From there, your next steps would be to encrypt the keys in the code, using a static key. Some tools will do that for you, like DexGuard, Dasho, Dexprotector -- you could also come up with your own solution.This article explains it well.

请记住，您自己的解决方案或第三方工具提供的解决方案可能很容易逆转:请参阅 这个例子 用于 DexGuard.另请注意，在运行时解密时，这些凭据将在设备的 RAM 中清晰可见，从而允许调试器轻松读取它们.

Keep in mind that both your own solution, or a solution provided by a third-party tool might prove easy to reverse: see this example for DexGuard. Please also note that when decrypted at runtime, these credentials will be in clear in the device's RAM, thus allowing a debugger to easily read them.

您的下一个最佳选择是在本机代码中使用加密字符串:更难逆转和追踪，但仍然可行.

Your next best bet is to go with encrypted strings inside native code: harder to reverse and track down, yet still doable.

然后您可以使用白盒密码术，再次使用 Inside Secure 推荐的第三方工具.这本质上会将加密算法和密钥混合到混淆的本机代码中，这可能会让您难以逆转 &难以调试加密/解密方法.在这里，您将只在您的应用程序中包含加密凭据，并且它们将在白盒中安全地解密.白盒通常非常安全(但并非不可能破解)，但是一旦解密，凭据将在设备的内存中清晰可见.这样可以更彻底地防止简单的反编译.

Then you can use whitebox cryptography, again with third-party tools like those proposed by Inside Secure. This will essentially blend both an encryption algorithm and a key into obfuscated native code, which might give you hard to reverse & hard to debug encryption/decryption methods. Here you would only include encrypted credentials in your app, and they would be decrypted securely inside the whitebox. The whitebox is generally very secure (but not impossible to crack), but once decrypted, credentials will be in clear in the device's memory. This would protect more thoroughly against simple decompilation.

然后...我认为如果不涉及硬件解决方案(KeyStore、嵌入式安全元件)和服务器来备份所有内容，您就无法做到更多.

Then... I don't think you can go much further than that without involving a hardware solution (KeyStore, embedded Secure Element) and a server to back everything up.

这篇关于在 Android 应用程序中存储机密和凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！