如何保护OAuth键值从反编译我的项目用户? [英] How do I protect OAuth keys from a user decompiling my project?
问题描述
我写我的第一个应用程序使用OAuth。这是一个桌面应用程序,而不是一个网站或移动设备的地方会比较困难访问二进制,所以我很关注如何保护我的应用程序键和秘密。我觉得这将是微不足道看看遵守的文件,发现存储密钥字符串。
I am writing my first application to use OAuth. This is for a desktop application, not a website or a mobile device where it would be more difficult to access the binary, so I am concerned on how to protect my application key and secret. I feel it would be trivial to look at the complied file and find the string that stores the key.
我是不是反应过度或者这是一个真正的问题(与已知的解决方案)的桌面应用程序?
Am I over reacting or is this a genuine problem (with a known solution) for desktop apps?
该项目正在codeD在Java中,但我也是一个C#开发的.NET,因此任何解决办法是pciated太AP $ P $。
This project is being coded in Java but I am also a C# developer so any solutions for .NET would be appreciated too.
编辑: 我知道有没有完美的解决方案,我只是在寻找缓解解决方案。
I know there is no perfect solution, I am just looking for mitigating solutions.
EDIT2:我知道pretty的多少唯一的解决办法是使用某种形式的混淆。有没有免费的提供商.NET和Java,会做字符串混淆?
I know pretty much only solution is use some form of obfuscation. Are there any free providers for .NET and Java that will do string obfuscation?
推荐答案
没有保护嵌入在一个二进制不受信任的用户可以访问键很好,甚至一半好办法。
There is no good or even half good way to protect keys embedded in a binary that untrusted users can access.
有原因的努力来保护自己至少投入了最低限额。
There are reasons to at least put a minimum amount of effort to protect yourself.
在最小的努力量不会有效。即使是的最大的努力量不会有效对抗一个熟练的逆向工程师/黑客只需几个小时的空余时间。
The minimum amount of effort won't be effective. Even the maximum amount of effort won't be effective against a skilled reverse engineer / hacker with just a few hours of spare time.
如果您不希望您的OAuth密钥被黑客攻破,不要把它们放在你发布到不可信用户code。期。
If you don't want your OAuth keys to be hacked, don't put them in code that you distribute to untrusted users. Period.
我是不是反应过度或者这是一个真正的问题(与已知的解决方案)的桌面应用程序?
Am I over reacting or is this a genuine problem (with a known solution) for desktop apps?
这是一个真正的问题的没有已知的(有效的)解决方案的。不是在Java中,而不是在C#中,而不是在Perl,不是在C,而不是在任何事情。想想看,如果它是物理定律。
It is a genuine problem with no known (effective) solution. Not in Java, not in C#, not in Perl, not in C, not in anything. Think of it as if it was a Law of Physics.
您的选择是:
-
强制用户使用受信任的平台,将只执行加密签署code。 (提示:。这很可能是不实际的应用程序,因为目前这一代的电脑不工作这样即使TPS可以被黑客入侵给合适的设备)
Force your users to use a trusted platform that will only execute crypto signed code. (Hint: this is most likely not practical for your application because current generation PC's don't work this way. And even TPS can be hacked given the right equipment.)
打开您的应用程序转变为服务和计算机/您可以控制访问计算机上运行它。 (提示:这听起来像的OAuth 2.0可能会删除此要求)
Turn your application into a service and run it on a machine / machines that you control access to. (Hint: it sounds like OAuth 2.0 might remove this requirement.)
使用,不需要永久密钥分发一些身份验证机制。
Use some authentication mechanism that doesn't require permanent secret keys to be distributed.
获取你的用户签署具有法律约束力的合同,以不反向工程code,并起诉他们,如果他们违反了合同。搞清楚这些用户已经黑了你的钥匙留给你的想象力......(提示:这不会阻止黑客,但可以让你挽回损失,如果黑客有资产)
Get your users to sign a legally binding contract to not reverse engineer your code, and sue them if they violate the contract. Figuring out which of your users has hacked your keys is left to your imagination ... (Hint: this won't stop hacking, but may allow you to recover damages, if the hacker has assets.)
顺便说一句,类比论证是一个聪明的修辞的技巧,但它不是逻辑上的声音。上前门物理锁阻止人们偷你的东西(在某种程度上)观察说的毫不相干的有关安全地嵌入的私人信息,可执行文件的技术可行性。
By the way, argument by analogy is a clever rhetorical trick, but it is not logically sound. The observation that physical locks on front doors stop people stealing your stuff (to some degree) says nothing whatsoever about the technical feasibility of safely embedding private information in executables.
<子>而忽略这一事实类推说法是不健全的,这种特殊的类比分解的原因如下。物理锁不是坚不可摧。在您的前门锁定作品,是因为有人站在你的房子在路上与你锁一分钟左右摆弄......或用大铁锤猛击其可见的前面。有人这样做,正在他/她将观察到的风险,而警察将被调用。银行金库的工作,因为渗透到他们所需要的时间是一个小时数,还有其他的报警器,安全卫士等,并依此类推。相比之下,黑客可以花几分钟,几小时,甚至几天的时间试图打破你的技术保护措施,被观察/检测做这件事的有效零风险。
这篇关于如何保护OAuth键值从反编译我的项目用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
