在模糊处理code隐藏的字符串 [英] hiding strings in Obfuscated code
问题描述
我只是混淆我的Android code。使用ProGuard的,然后反编译它。有一些字符串我真的想从窥探隐藏。当我反编译我的code中的字符串在那里给大家看......和变化。其中一个字符串是一个URL到我的授权服务器,他们可以有效改变URL指向一个假冒的服务器(我将发布服务器code公众)。什么是隐藏这种信息的最佳方式是什么?
I just Obfuscated my Android code using proguard and then decompiled it. There are a number of strings I would really like to hide from prying eyes. When I decompiled my code the strings were there for everyone to see...and change. One of the strings is a URL to my licensing server and they could in effect change the url to point to a fake server (as I will be releasing the server code to the public). What is the best way of hiding this sort of information?
另外,我注意到,R类字符串都是随机的数字,但是我无法找到在反编译code R类。这是哪里?
Also, I noticed that the R class strings are all random numbers but I can't find the R class in the decompiled code. Where is it?
敌人例如我看到:新SimpleCursorAdapter(localActivity,2130903058,localCursor,arrayOfString,arrayOfInt);
2130903058是一个布局文件,但它是什么引用?该数字意味着什么,除非它指向某种地址。
2130903058 is a layout file but what is it referencing? The number means nothing unless it is pointing to some sort of address.
推荐答案
假设你是幸福的晦涩难懂,而不是安全的,有一些可以使用的机制,但像ProGuard的obfuscaters不会能够帮助您。
Assuming you are happy with obscure rather than secure, there a number of mechanisms you could use, but obfuscaters like proguard are not going to be able to help you.
要做到这一点,你需要做的编码自己,你使用的方法取决于你正在努力,以避免出现什么字符串或加密,如果你只是想从明显的检查,以隐瞒,比编码可能就足够了(见android.util.Base64,<一个href="http://developer.android.com/reference/android/util/Base64.html">http://developer.android.com/reference/android/util/Base64.html).需要注意的是编码绝不安全,所有的它会来是去除明显的参考网站。
To achieve this you will need to do encoding or encryption of the string yourself, the approach you use depends on what you are trying to defend against, if it you are just trying to hide from obvious inspection, than encoding may be sufficient (see android.util.Base64, http://developer.android.com/reference/android/util/Base64.html). Note that encoding is in NO WAY SECURE and all it will to is remove the obvious reference to your site.
如果你想对更多的东西辩护,那么你可以将实际的加密字符串,要做到这一点,你会使用对称密码如AES通过javax.crypto.Cipher中,<一个href="http://www.androidsnippets.org/snippets/39/index.html">http://www.androidsnippets.org/snippets/39/index.html提供了一个体面的使用示例。再次,这是更恼人然后固定到会被黑客,因为你需要存储一些关键在你的罐子从而否定任何密码的安全性。
If you are trying to defend against something more, then you could move to actually encrypting the string, to do this you would use a symmetric cipher like AES via javax.crypto.Cipher, http://www.androidsnippets.org/snippets/39/index.html provides a decent usage example. Again this is more annoying then secure to would be hackers, as you will need to store the key somewhere in your jar thus negating any cryptographic security.
要说明清楚,基本步骤是:
To make this clearer, the basic steps would be:
- 在手动创建使用已知密钥的加密字符串。
- 将您的code使用该字符串的解密版本,例如:
在
public class Foo {
private String mySecret = "http://example.com";
...
}
变成了:
public class Foo {
private String encrypted = "<manually created encrypted string>";
private String key = "<key used for encryption";
private String mySecret = MyDecryptUtil.decrypt(encrypted, key);
...
}
A(好)的替代所有这一切都是使用第三方DRM解决方案,如授权服务器谷歌提供的<一个考虑href="http://android-developers.blogspot.com/2010/07/licensing-service-for-android.html">http://android-developers.blogspot.com/2010/07/licensing-service-for-android.html.这可能比你滚你自己的东西更安全,但受到非常相似的限制我上面描述的东西。
A (good) alternative to all of this is considering using a third party drm solution such as the licensing server google provides http://android-developers.blogspot.com/2010/07/licensing-service-for-android.html. This may be more secure than something you roll your self, but is subject to very similar limitations to what I described above.
这篇关于在模糊处理code隐藏的字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
