Android在应用程序内结算:确保应用程序的公钥 [英] Android In App Billing: securing application public key
问题描述
这是Android在应用程序内结算版本3(TrivialDrive)示例应用程序的SDK来了
From Android In App Billing version 3 (TrivialDrive)sample application coming with sdk
/* base64EncodedPublicKey should be YOUR APPLICATION'S PUBLIC KEY
* (that you got from the Google Play developer console). This is not your
* developer public key, it's the *app-specific* public key.
*
* Instead of just storing the entire literal string here embedded in the
* program, construct the key at runtime from pieces or
* use bit manipulation (for example, XOR with some other string) to hide
* the actual key. The key itself is not secret information, but we don't
* want to make it easy for an attacker to replace the public key with one
* of their own and then fake messages from the server.
*/
String base64EncodedPublicKey = "CONSTRUCT_YOUR_KEY_AND_PLACE_IT_HERE";
好吧,我不知道我理解这个安全措施。我知道怎么去申请公开密钥(这已经是基地64 EN codeD)从谷歌Play开发者控制台。
Well I am not sure I understand this security measure. I know how to get the application public key (which is already base 64 encoded) from Google Play Developer Console.
什么我不理解是这部分
/* Instead of just storing the entire literal string here embedded in the
* program, construct the key at runtime from pieces or
* use bit manipulation (for example, XOR with some other string) to hide
* the actual key
*/
据我所知,这个公共密钥是一个字符串常量,它是由谷歌在应用程序的上传过程中给出。
As far as I know, this public key is a constant string, which is given from Google during application upload process.
我们如何创建相同的密钥编程使用任何位操作过程?已经有人做过了吗?是否有关于如何做到这一点任何样品code?
How can we create the same key programmatically using any bit manipulation process? Has someone done it before? Is there any sample code on how to do this?
推荐答案
事情是这样的:
String Base64EncodedPublicKey key = "Ak3jfkd" + GetMiddleBit() + "D349824";
或
String Base64EncodedPublicKey key =
DecrementEachletter("Bl4kgle") + GetMiddleBit() + ReverseString("D349824");
或任何不把以base64明文的关键在一个单一的字符串。或许也未尝不存储密钥为Base64将是一个好主意,因为原始的base64文本片段是pretty的容易被发现。
or anything that doesn't put the key in base64 plaintext in a single string. Probably also something that doesn't store the key in base64 would be a good idea too, since raw base64 text fragments are pretty easy to spot.
这不是一个特别好的办法来保护的关键。但它可以防止一个平凡的攻击,有人只是通过搜索文字字符串在你APK寻找的东西看起来像一个base64-CN codeD公钥。至少你做了#$的#的$器的工作一点点。
It's not a particularly GOOD way to protect the key. But it protects against a trivial attack where somebody just searches through literal strings in you APK looking for something that looks like a base64-encoded public key. At least you make the #$#$ers work a little bit.
presumably邪恶的人可以做坏事,如果他们认同你的公钥。谷歌似乎这么认为,显然。我能猜到这一步呢,但我不知道我真正想要的猜测,在一个开放的论坛,给任何人任何想法。你想,虽然做到这一点。
Presumably evil people can do bad things if they identify your public key. Google seems to think so, apparently. I can guess what this step does, but I'm not sure I really want to speculate on that in an open forum, and give anyone any ideas. You want to do it though.
基本的剧情梗概将是你使之更难以为别人写的编程方式去LVLs应用程序的applciation。
The basic plot summary would be that you're making it more difficult for somebody to write an application that programmatically de-LVLs an applciation.
一个假设,任何人谁在做这个为生开裂20或30,000 Android的应用程序,并重新发布它们。有机会,我想,他们不会采取额外的十分钟您的应用程序添加到20000的Android应用程序,已经通过程序来打破,如果他们真的需要做的手工工作一点点的列表。除非你有一个顶级的应用程序。然后战斗可能是无止境的,而且很可能最终是徒劳的。
One assumes that anyone who's doing this makes a living cracking 20 or 30,000 android apps and republishing them. Chances are, I suppose that they're not going to take the extra ten minutes to add your app to the list of 20,000 Android apps that have already been broken by a program, if they actually have to do a little bit of manual work. Unless you have a top tier application. And then the battle is potentially endless, and probably ultimately futile.
分割钥匙插入连续的数据块(如建议在另一个回答)很可能是不够的。因为密钥最终会在连续字符串APK字符串常量表。很容易发现,与程序。
Splitting the key into consecutive chunks (as proposed in another answer) probably isn't good enough. Because the key will end up in consecutive strings in the string constant tables in the APK. Too easy to find that with a program.
这篇关于Android在应用程序内结算:确保应用程序的公钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
