如何保护 APK 中包含的信息? [英] How can you protect info contained in an APK?

问题描述

我假设有人构建了一个 APK 反编译器..... 保护敏感信息(例如后端数据库的身份验证参数)的最佳做法是什么?我想某种中间件会起作用，但这对速度没有好处.什么是正确的方式"?

I assume someone's built an APK decompiler..... What's the best practice to secure sensitive info (like auth parameters for a backend database)? I suppose some kind of middleware would work but that can't do good things for speed. What's the "right way"?

推荐答案

很难对 Dalvik 字节码进行逆向工程；我的理解是，没有一个简单的映射回 Java 字节码，更不用说到 Java 源代码，特别是如果它通过 ProGuard.然而，身份验证参数通常是数据，而不是代码，并且可以更容易地窥探.此外，有兴趣破坏您的凭据的人有许多其他攻击手段，包括数据包嗅探，不需要恢复您的源代码.Anon 的评论完全正确——不要相信客户.

It's difficult to reverse-engineer Dalvik byte code; my understanding is that there's not a simple mapping back to Java byte code, much less to Java source, particularly if it's gone through ProGuard. However, auth parameters are usually data, not code, and that can be snooped for rather more easily. Moreover, someone interested in breaking your credentials has lots of other means of attack, including packet sniffing, that don't require recovering your source code. The comment by Anon is exactly right—don't trust the client.

至于最佳实践，您可以使用公钥加密系统、从服务器获取凭据等，以避免将敏感信息放入 .apk 文件中.不要相信混淆或模糊的字节码来保守你的秘密.他们不会.

As to best practices, you can use a public key encryption system, get credentials from the server, etc., to avoid putting sensitive info into the .apk file. Don't trust obfuscation or obscure byte code to keep your secrets. They won't.

这篇关于如何保护 APK 中包含的信息?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！