在应用程序中存储和保护私有 API 密钥的最佳实践 [英] Best practice for storing and protecting private API keys in applications
问题描述
大多数应用开发者会将一些第三方库集成到他们的应用中.如果是为了访问服务,例如 Dropbox 或 YouTube,或者是为了记录崩溃.第三方库和服务的数量惊人.大多数库和服务都是通过某种方式与服务进行身份验证来集成的,大多数情况下,这是通过 API 密钥进行的.出于安全目的,服务通常会生成公共密钥和私有密钥,通常也称为秘密密钥.不幸的是,为了连接到服务,必须使用此私钥进行身份验证,因此可能是应用程序的一部分.不用说,这面临着巨大的安全问题.可以在几分钟内从 APK 中提取公共和私有 API 密钥,并且可以轻松实现自动化.
Most app developers will integrate some third party libraries into their apps. If it's to access a service, such as Dropbox or YouTube, or for logging crashes. The number of third party libraries and services is staggering. Most of those libraries and services are integrated by somehow authenticating with the service, most of the time, this happens through an API key. For security purposes, services usually generate a public and private, often also referred to as secret, key. Unfortunately, in order to connect to the services, this private key must be used to authenticate and hence, probably be part of the application. Needless to say, that this faces in immense security problem. Public and private API keys can be extracted from APKs in a matter of minutes and can easily be automated.
假设我有类似的东西,我该如何保护密钥:
Assuming I have something similar to this, how can I protect the secret key:
public class DropboxService {
private final static String APP_KEY = "jk433g34hg3";
private final static String APP_SECRET = "987dwdqwdqw90";
private final static AccessType ACCESS_TYPE = AccessType.DROPBOX;
// SOME MORE CODE HERE
}
您认为存储私钥的最佳和最安全的方式是什么?混淆、加密,你怎么看?
What is in your opinion the best and most secure way to store the private key? Obfuscation, encryption, what do you think?
推荐答案
实际上,您编译的应用程序包含键字符串,以及常量名 APP_KEY 和 APP_SECRET.从这种自记录代码中提取密钥是微不足道的,例如使用标准的 Android 工具 dx.
As it is, your compiled application contains the key strings, but also the constant names APP_KEY and APP_SECRET. Extracting keys from such self-documenting code is trivial, for instance with the standard Android tool dx.
您可以应用 ProGuard.它将保持键字符串不变,但会删除常量名称.它还将尽可能用简短的、无意义的名称重命名类和方法.提取密钥需要更多时间,以确定哪个字符串用于哪个目的.
You can apply ProGuard. It will leave the key strings untouched, but it will remove the constant names. It will also rename classes and methods with short, meaningless names, where ever possible. Extracting the keys then takes some more time, for figuring out which string serves which purpose.
请注意,设置 ProGuard 不应该像您担心的那样困难.首先,您只需要启用 ProGuard,如 project.properties 中所述.如果第三方库有任何问题,您可能需要在 proguard-project.txt 中取消某些警告和/或防止它们被混淆.例如:
-dontwarn com.dropbox.**
-keep class com.dropbox.** { *; }
这是一种蛮力方法;您可以在处理的应用程序运行后优化此类配置.
您可以在代码中手动混淆字符串,例如使用 Base64 编码或更复杂的编码;甚至可能是本机代码.然后,黑客将不得不对您的编码进行静态逆向工程或在适当的位置动态拦截解码.
You can obfuscate the strings manually in your code, for instance with a Base64 encoding or preferably with something more complicated; maybe even native code. A hacker will then have to statically reverse-engineer your encoding or dynamically intercept the decoding in the proper place.
您可以应用商业混淆器,例如 ProGuard 的专门兄弟 DexGuard.它还可以为您加密/混淆字符串和类.提取密钥需要更多的时间和专业知识.
You can apply a commercial obfuscator, like ProGuard's specialized sibling DexGuard. It can additionally encrypt/obfuscate the strings and classes for you. Extracting the keys then takes even more time and expertise.
您或许可以在自己的服务器上运行部分应用程序.如果你能把钥匙放在那里,它们就是安全的.
You might be able to run parts of your application on your own server. If you can keep the keys there, they are safe.
最后,这是你必须做出的经济权衡:密钥有多重要,你能负担多少时间或软件,对密钥感兴趣的黑客有多复杂,需要多少时间他们想花多少钱,在密钥被黑客入侵之前的延迟值多少钱,任何成功的黑客将在多大程度上分发密钥等.像密钥这样的小块信息比整个应用程序更难保护.从本质上讲,客户端没有任何东西是牢不可破的,但您当然可以提高标准.
In the end, it's an economic trade-off that you have to make: how important are the keys, how much time or software can you afford, how sophisticated are the hackers who are interested in the keys, how much time will they want to spend, how much worth is a delay before the keys are hacked, on what scale will any successful hackers distribute the keys, etc. Small pieces of information like keys are more difficult to protect than entire applications. Intrinsically, nothing on the client-side is unbreakable, but you can certainly raise the bar.
(我是 ProGuard 和 DexGuard 的开发者)
(I am the developer of ProGuard and DexGuard)
这篇关于在应用程序中存储和保护私有 API 密钥的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
