在 Android 中存储 API 密钥,是否足够混淆? [英] Storing API keys in Android, is obfustication enough?
问题描述
我使用的是 Dropbox API.在示例应用中,它包含以下几行:
I'm using the Dropbox API. In the sample app, it includes these lines:
// Replace this with your consumer key and secret assigned by Dropbox.
// Note that this is a really insecure way to do this, and you shouldn't
// ship code which contains your key & secret in such an obvious way.
// Obfuscation is good.
final static private String CONSUMER_KEY = "PUT_YOUR_CONSUMER_KEY_HERE";
final static private String CONSUMER_SECRET = "PUT_YOUR_CONSUMER_SECRET_HERE";
我很清楚保密不是安全"的口号,而混淆实际上只是略微增加了提取密钥所需的工作量.我不同意他们的说法混淆是好的".那我应该怎么做来保护密钥呢?混淆是否足够好,还是我应该考虑更复杂的东西?
I'm well aware of the mantra 'Secrecy is not Security', and obfuscation really only slightly increases the amount of effort required to extract the keys. I disagree with their statement 'Obfustication is good'. What should I do to protect the keys then? Is obfustication good enough, or should I consider something more elaborate?
推荐答案
你无能为力.如果用户(攻击者)拥有受保护的数据和取消保护的代码,用户最终可以访问数据.就这么简单.他们只需要一个调试器和一个恰到好处的断点.那,还有很多空闲时间和决心.
You can't help it. If the user (attacker) has the protected data and the code that does the unprotection, the user can eventually get access to the data. It's as simple as that. A debugger and a breakpoint at just the right time is all they need. That, and lots of free time and determination.
保密是否足以满足您的目的取决于您的业务具体情况.但通常在移动世界中,如果客户担心他们的数据被盗,他们会实施高级别的盗窃和丢失控制.诸如远程擦除、强制屏幕锁定等之类的东西.我认为应用程序员不需要复制所有这些东西.
Whether or not secrecy is good enough for your purposes is up to your business specifics. But generally in the mobile world, if the customer is that worried about their data being stolen, they implement high-level theft and loss controls. Things like remote wipe, mandatory screen lock, etc. I don't think it's up to the application programmer to duplicate all that stuff.
这篇关于在 Android 中存储 API 密钥,是否足够混淆?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
