如何使 apk 安全.防止反编译 [英] How to make apk Secure. Protecting from Decompile

问题描述

我正在开发一个应用程序，该应用程序具有 SQLite 数据库来存储必须受到保护的个人信息.有哪些方法可以保护这些个人数据?APK很容易被完全反编译，那么我们如何保护APK呢?此外，如何保护移动应用程序的数据库?

I am developing an application that has SQLite database to store personal information that must be protected. What are some ways of protecting these personal data? An APK can easily be de-compiled completely, so how can we secure an APK? Additionally, how can a database of a mobile application be protected?

推荐答案

基本上有5种方法可以保护您的APK被破解/逆向/重新打包:

Basically, there are 5 methods to protect your APK being cracking/ reversing/ repackaging:

最简单的方法是让用户无法访问Java Class程序.这是最基本的方式，它有多种具体的实现方式.例如，开发者可以将关键的Java Class放在服务器上，客户端通过访问服务器的相关接口而不是直接访问Class文件来获取服务.所以黑客没有办法反编译Class文件.目前，通过接口提供的标准和协议服务越来越多，如HTTP、Web Service、RPC等，但有很多应用不适合这种保护.例如，独立程序中的Java程序无法隔离.

The easiest way is to make users unable to access to the Java Class program. This is the most fundamental way, and it has a variety of specific ways to achieve this. For example, developers can place the key Java Class on the server, clients acquire services by access relevant interfaces of the server rather than access to the Class file directly. So there is no way for hackers to decompile Class files. Currently, there are more and more standards and protocols services provided through interfaces, such as HTTP, Web Service, RPC, etc. But there are lots of applications are not suitable for this protection. For example, Java programs in stand-alone programs are unable to isolate.

为了防止Class文件被直接反编译，很多开发者都会对一些关键的Class文件进行加密，比如注册号、序列号管理等相关类.在使用这些加密类之前，程序需要先解密这些类，然后将这些类加载到JVM中.这些类可以通过硬件或软件解密.

To prevent Class files from being decompiled directly, many developers will encrypt some key Class files, such as registration number, serial number management and other related classes. Before using these encrypted classes, the program needs to decrypt these classes first, then loading these classes into JVM. These classes can be decrypted by hardware, or software.

开发人员经常通过自定义的 ClassLoader 类加载加密类(Applet 出于安全考虑不支持自定义的 ClassLoader).自定义类加载器会先找到加密类，然后解密它们.最后将解密的类加载到 JVM.Customed ClassLoader 是这个protect 方法中非常重要的一个类.因为它本身没有加密，所以它可能是黑客的第一个目标.如果破解了相关的解密密钥和算法，那么加密的类就可以很容易地解密了.

Developers often loading cryptographic classes through a customed ClassLoader class (Applet does not support customed ClassLoader because of security). Customed ClassLoader will find cryptographic classes first, then decrypt them. And finally loading the decrypted classes to JVM. Customed ClassLoader is a very important class in this protect method. Because it itself is not encrypted, it may be the first target of a hacker. If the relevant decryption key and algorithm have been overcome, then the encrypted classes can easily be decrypted.

将程序转为本机代码也是防止反编译的有效方法.因为原生代码往往很难被反编译.开发人员可以将整个应用程序转换为原生代码，也可以只转换关键模块.如果只是转换模块的关键部分，Java程序在使用这些模块时需要JNI技术来调用.使用这种方法来保护Java程序时，它放弃了Java的跨平台特性.对于不同的平台，我们需要维护不同版本的原生代码，这会增加软件支持和维护工作量.但是对于一些关键模块，有时这种解决方案往往是必要的.为了保证这些原生代码不会被修改或替换，开发者往往需要对这些代码进行数字签名.在使用这些原生代码之前，开发者往往需要对这些本地代码进行认证，以确保这些代码没有被黑客篡改.如果签名检查通过，则开发者可以调用相关的JNI方法.

Convert program to native codes is also an effective way to prevent decompilation. Because native codes are often difficult to be decompiled. Developers can convert the entire application to native codes, or they can also convert only key modules. If just convert key part of the modules, it will need JNI technology to call when Java programs are using these modules. It abandoned Java's cross-platform feature when using this mothod to protect Java programs. For different platforms, we need to maintain different versions of the native codes, which will increase software support and maintenance workload. But for some key modules, sometimes this solution is often necessary. In order to guarantee these native codes will not be modified or replaced, developers often need to digitally sign these codes. Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.

代码混淆是对Class文件进行重新组织和处理，使处理后的代码与未处理的代码完成相同的功能(语义).但是混淆后的代码很难反编译，即反编译后的代码很难理解，因此反编译人员很难理解真正的语义.理论上，如果黑客有足够的时间，混淆的代码仍然可能被破解.甚至有些人正在开发反混淆工具.但从实际情况来看，由于混淆的多元化发展，混淆理论的成熟，混淆后的Java代码可以很好的防止反编译.

Code obfuscation is to re-organize and process Class file, making the treated codes accomplish the same function (semantics) with the untreated codes. But the obfuscated codes are difficult to be decompiled, i.e., the decompiled codes are very difficult to understand, therefore decompile staffs are hard to understand the really semantics. Theoretically, if hackers have enough time, obfuscated codes may still be cracked. Even some people are developing de-obfuscate tool. But from the actual situation, since the diversified development of obfuscation, the mature of obfuscation theory, obfuscated Java codes can well prevent decompilation.

APK Protect 是 APK 的在线加密网站，但活动显然自 2013 年左右停止.提供Java代码和C++代码保护，实现反调试、反编译效果.

APK Protect was an online encryption website for APK, but activity has apparently been discontinued since 2013 or so. It provided Java codes and C++ codes protection to achieve anti-debugging and decompile effects.

我最初建议您使用最后一种方法，因为它可以为您节省更多时间.根据我的经验，操作非常简单，不会花费很长时间.

I originally suggested you use this last method for it could save you more time. Based on my experience, it was very simple to operate and it wouldn't take long time.

这篇关于如何使 apk 安全.防止反编译的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！