如何使APK安全。从反编译保护 [英] How to make apk Secure. Protecting from Decompile

问题描述

您好 我开发一个应用程序的公司和我们的应用程序包含源码其中包含个人信息的数据库，我们要保护它。 我们怎样才能保护它。因为一个APK容易反编译完全是因为我做到了我自己。 所以，现在的问题是如何保护的APK？以及如何保护我的数据库是在手机上安装手机应用程序之后。

Hello I am developing an Application for a Company and our application contain a database of sqlite which contain personal information and we want to protect it. How can we protect it. Because an apk is easily decompile completely because i did it myself. So now the question is How to Secure an apk? and also how to protect my database that is in the phone after installing app on phone.

推荐答案

基本上，有5种方法来保护您的APK是开裂/后退/重新包装：

Basically, there are 5 methods to protect your APK being cracking/ reversing/ repackaging:

最简单的方法是让用户无法访问到的Java类节目。这是最根本的办法，而且它有多种具体的方式来实现这一点。例如，开发人员可以将关键的Java类的服务器上，客户端服务器，而不是直接访问类文件的访问权限相关的接口获得服务。因此，有没有办法让黑客反编译的类文件。目前，有通过接口提供越来越多的标准和协议的服务，如HTTP，Web服务，RPC等，但也有很多的应用是不适合这种保护。例如，在独立程序的Java程序无法分离

The easiest way is to make users unable to access to the Java Class program. This is the most fundamental way, and it has a variety of specific ways to achieve this. For example, developers can place the key Java Class on the server, clients acquire services by access relevant interfaces of the server rather than access to the Class file directly. So there is no way for hackers to decompile Class files. Currently, there are more and more standards and protocols services provided through interfaces, such as HTTP, Web Service, RPC, etc. But there are lots of applications are not suitable for this protection. For example, Java programs in stand-alone programs are unable to isolate.

要prevent类被直接反编译的文件，许多开发商将加密一些重要的类文件，如注册号，序列号管理等相关课程。使用这些加密类之前，程序需要这些类先进行解密，然后加载这些类到JVM。这些类可以通过硬件或软件进行解密。

To prevent Class files from being decompiled directly, many developers will encrypt some key Class files, such as registration number, serial number management and other related classes. Before using these encrypted classes, the program needs to decrypt these classes first, then loading these classes into JVM. These classes can be decrypted by hardware, or software.

开发人员通常加载通过订制ClassLoader类加密类（小程序不支持，因为安全的订制类加载器）。订制类加载器将首先找到加密类，然后解密。最后加载解密类JVM。订制ClassLoader是在这个保护方法非常重要的一类。因为它本身是不加密的，它可能是黑客的第一个目标。如果相关的解密密钥和算法已被克服，则加密的类可以很容易地被解密。

Developers often loading cryptographic classes through a customed ClassLoader class (Applet does not support customed ClassLoader because of security). Customed ClassLoader will find cryptographic classes first, then decrypt them. And finally loading the decrypted classes to JVM. Customed ClassLoader is a very important class in this protect method. Because it itself is not encrypted, it may be the first target of a hacker. If the relevant decryption key and algorithm have been overcome, then the encrypted classes can easily be decrypted.

转换程序到本机codeS也是一种有效的方法，以prevent反编译。由于本地codeS往往难以被反编译。开发者可以将整个应用程序到本机codeS，或者他们也可以转换成唯一的关键模块。如果只是转换模块的重要组成部分，它需要JNI技术时，Java程序使用这些模块调用。它放弃了Java的跨平台功能，使用该评判保护的Java程序时。对于不同的平台，我们需要保持不同版本的原生codeS，这将增加软件支持和维护的工作量。但是对于一些关键模块，有时这种解决方案往往是必要的。为了保证这些本地codeS将不会被修改或替换，开发人员经常需要进行数字签名，这些codeS。使用这些本地codeS之前，开发人员经常需要验证这些地方codeS，以确保这些codeS还没有被黑客修改。如果签名校验通过，那么开发者可以调用相关的JNI的方法。

Convert program to native codes is also an effective way to prevent decompilation. Because native codes are often difficult to be decompiled. Developers can convert the entire application to native codes, or they can also convert only key modules. If just convert key part of the modules, it will need JNI technology to call when Java programs are using these modules. It abandoned Java's cross-platform feature when using this mothod to protect Java programs. For different platforms, we need to maintain different versions of the native codes, which will increase software support and maintenance workload. But for some key modules, sometimes this solution is often necessary. In order to guarantee these native codes will not be modified or replaced, developers often need to digitally sign these codes. Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.

code混淆是重新组织和流程类文件，使得处理后的codeS完成与未处理codeS相同的功能（语义）。但是，混淆codeS难以被反编译，也就是说，反编译codeS是很难理解的，因此，反编译工作人员都是很难理解的真正语义。从理论上讲，如果黑客有足够的时间，混淆codeS仍可能破裂。甚至有些人正在开发的去模糊处理工具。但是，从实际情况看，由于多元化发展混淆，成熟的混淆理论，混淆的Java codeS能很好prevent反编译。

Code obfuscation is to re-organize and process Class file, making the treated codes accomplish the same function (semantics) with the untreated codes. But the obfuscated codes are difficult to be decompiled, i.e., the decompiled codes are very difficult to understand, therefore decompile staffs are hard to understand the really semantics. Theoretically, if hackers have enough time, obfuscated codes may still be cracked. Even some people are developing de-obfuscate tool. But from the actual situation, since the diversified development of obfuscation, the mature of obfuscation theory, obfuscated Java codes can well prevent decompilation.

APK保护是一个在线加密网站APK，但活动显然已经从2013左右停产。它提供的Java codeS和C ++ codeS保护，实现反调试和反编译的效果。

APK Protect was an online encryption website for APK, but activity has apparently been discontinued since 2013 or so. It provided Java codes and C++ codes protection to achieve anti-debugging and decompile effects.

我本来建议你用这最后的方法，它可以为您节省更多的时间。根据我的经验，这是非常简单的操作，它不会需要很长时间。

I originally suggested you use this last method for it could save you more time. Based on my experience, it was very simple to operate and it wouldn't take long time.

这篇关于如何使APK安全。从反编译保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！