存储在Android的私有API密钥最佳实践 [英] Best Practice for storing private API keys in Android

问题描述

我开发一个应用程序，我用几个第三方API和SDK，如Dropbox的和谷歌驱动器。 这些库requiers API密钥。私人和公共的。

目前我也有东西是这样的：

 公共类DropboxService {

    私人最终静态字符串APP_KEY =jk433g34hg3;
    私人最终静态字符串APP_SECRET =987dwdqwdqw90;
    私人最终静态接入类型ACCESS_TYPE = AccessType.DROPBOX;

    //一些code HERE

}
 

在App-秘密密钥应保密的 - 但释放的应用程序时，他们可以通过一些球员得到扭转

我想知道什么是加密，混淆或者其他做的最好的事情这一安全的。

我想过使用ProGuard的，但设置ProGuard的整个项目会带我几个星期。这就是为什么我只是想用ProGuard的这些重要的类存储私钥和其他sensitible数据。

有这样的确定或其他方法吗？你怎么看？

解决方案

1. 正因为如此，你的编译的应用程序中包含的关键字符串，而且还不断的名字APP_KEY和APP_SECRET。从这样的自我说明code提取密钥是微不足道的，例如与标准的Andr​​oid工具DX。

2. 您可以使用ProGuard的。它会留下钥匙串不变，但会删除常量名。它也将重新命名的类和方法有短的，无意义的名字，在这里可以没有。提取键则需要一些时间，搞清楚这串用于该目的。

   注意设置ProGuard的不应该是因为你害怕困难。首先，你只需要启用ProGuard的，作为记录在project.properties。如果有第三方库的任何问题，你可能需要晚饭preSS一些警告和/或prevent它们被混淆，在ProGuard的-project.txt。例如：的

     -dontwarn com.dropbox。**
   -keep类com.dropbox ** {*。 }
    

   这是一个强力的办法;你可以提炼这样的配置，一旦处理应用程序的工作。的

3. 您可以手动在code与Base64编码或preferably有更复杂的东西混淆的字符串，例如;甚至本土code。那么黑客将不得不静态反向工程的编码或动态拦截在正确的位置进行解码。

4. 您可以应用商业混淆，如ProGuard的的专业兄弟 DexGuard 。它还可加密/混淆的字符串和类为您服务。提取键则需要更多的时间和专业知识。

5. 您也许能够在自己的服务器上运行的应用程序的某些部分。如果你能保持的钥匙在那里，他们是安全的。

在最后，这是一个经济的权衡，你必须做：多么重要的关键是，有多少时间或软件你能负担得起，多么复杂是谁感兴趣的是按键的黑客，需要多长时间他们希望花费多少价值是键被黑客攻击之前，以何种规模将任何成功的黑客分发密钥等小件像密钥的信息是更加难以保护不是整个应用程序的延迟。实质上，没有对客户端是牢不可破的，但你一定可以提高标准。

（我ProGuard，并将DexGuard的开发者）

I am developing an app and I use several third party APIs and SDKs such as Dropbox and Google Drive. These libraries requiers API keys. A private and a public one.

Currently I have sth like this:

public class DropboxService  {

    private final static String APP_KEY = "jk433g34hg3";
    private final static String APP_SECRET = "987dwdqwdqw90";
    private final static AccessType ACCESS_TYPE = AccessType.DROPBOX;

    // SOME MORE CODE HERE

}

The App-Secret key should be kept private - but when releasing the app they can be reversed by some guys.

I want to know what is the best thing to encrypt, obfuscate or whatever to make this secure.

I thought about using ProGuard but setting up ProGuard for the whole project would take me some weeks. Thats why I wanted only to use ProGuard for these important classes storing private keys and other sensitible data.

Is this ok or are there other ways? What do you think?

解决方案

1. As it is, your compiled application contains the key strings, but also the constant names APP_KEY and APP_SECRET. Extracting keys from such self-documenting code is trivial, for instance with the standard Android tool dx.

2. You can apply ProGuard. It will leave the key strings untouched, but it will remove the constant names. It will also rename classes and methods with short, meaningless names, where ever possible. Extracting the keys then takes some more time, for figuring out which string serves which purpose.

   Note that setting up ProGuard shouldn't be as difficult as you fear. To begin with, you only need to enable ProGuard, as documented in project.properties. If there are any problems with third-party libraries, you may need to suppress some warnings and/or prevent them from being obfuscated, in proguard-project.txt. For instance:

   -dontwarn com.dropbox.**
   -keep class com.dropbox.** { *; }
   

   This is a brute-force approach; you can refine such configuration once the processed application works.

3. You can obfuscate the strings manually in your code, for instance with a Base64 encoding or preferably with something more complicated; maybe even native code. A hacker will then have to statically reverse-engineer your encoding or dynamically intercept the decoding in the proper place.

4. You can apply a commercial obfuscator, like ProGuard's specialized sibling DexGuard. It can additionally encrypt/obfuscate the strings and classes for you. Extracting the keys then takes even more time and expertise.

5. You might be able to run parts of your application on your own server. If you can keep the keys there, they are safe.

In the end, it's an economic trade-off that you have to make: how important are the keys, how much time or software can you afford, how sophisticated are the hackers who are interested in the keys, how much time will they want to spend, how much worth is a delay before the keys are hacked, on what scale will any successful hackers distribute the keys, etc. Small pieces of information like keys are more difficult to protect than entire applications. Intrinsically, nothing on the client-side is unbreakable, but you can certainly raise the bar.

(I am the developer of ProGuard and DexGuard)

这篇关于存储在Android的私有API密钥最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！