开发者

How can you protect info contained in an APK?

I assume someone's built a开发者_如何学Pythonn APK decompiler..... What's the best practice to secure sensitive info (like auth parameters for a backend database)? I suppose some kind of middleware would work but that can't do good things for speed. What's the "right way"?


If you're writing an Andoid app and using AWS, strongly recommend you check out:

https://github.com/apetresc/awskeyserver

Author uses the AWS IAM (Identity and Access Management service) with Google App Engine to successfully protect authentication parameters. I imagine IAM will eventually be included in AWS' Android SDK but until then, this is a great option.


It's difficult to reverse-engineer Dalvik byte code; my understanding is that there's not a simple mapping back to Java byte code, much less to Java source, particularly if it's gone through ProGuard. However, auth parameters are usually data, not code, and that can be snooped for rather more easily. Moreover, someone interested in breaking your credentials has lots of other means of attack, including packet sniffing, that don't require recovering your source code. The comment by Anon is exactly right—don't trust the client.

As to best practices, you can use a public key encryption system, get credentials from the server, etc., to avoid putting sensitive info into the .apk file. Don't trust obfuscation or obscure byte code to keep your secrets. They won't.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜