问题
I am developing a android application, in this application assets folder contains some password and some imp information.
I want to prevent a hacker from accessing any resources, assets or source code from the APK file, Mainly assets resources.
How can I achieve this thing?
I found and also think about following solutions, Please make me correct and provide your suggestions on this.
1) Put every data or files in assets folder in encrypted way.
In this solution when i require to use this assets folder data then i need to do decryption every time that make my application slow.
2) To secure resources, don't include all important resources in the assets folder with APK. Download these resources at the time of application first start up.
This solution also not suitable for my application as i want to use my application in Offline mode if it is going to be use first time or second time.
3) obfuscation would not protect assets folder data so we can not use that.
Please provide your suggestions and inputs on the same.
Any help would be appreciated.
Thanks & Regards
回答1:
Reverse engineering on Android is REALLY easy ! You can't prevent that. You should not store any sensitive informations in your APK because someone could find them easily.
You should use asymmetric encryption if you want to store something on the user device.
It's possible to hide some data in your code like a symmetric encryption key but it will be found in few minutes if someone want to find it. (and few seconds if you put it in assets folder...)
EDIT If you want to put a symmetric encryption key in your code, don't set it like :
String myKey = "myEncryptionKey";
byte[] key = myKey.getBytes();
because a reverse engineer is able to list all strings in your apk with a single command... So use something like :
StringBuilder sb = new StringBuilder();
sb.append(m);
sb.append(y);
...
byte[] key = sb.toString().getBytes();
or
byte[] key = Base64.decode("esfas09f8as90f8").getBytes();
回答2:
Any data which you install on a client device will be accessible to the user. Tools like Proguard are great for code optimization and may make code slightly less readable but anyone with your APK can reverse engineer the application and access everything which you included on the APK file.
For example, you can store sensitive data in the assets folder which an attacker can access easily, now encrypting this is fine but what key are you using to encrypt it? Where is the key stored?
There is another tool called DexGuard which can encrypt strings. However this has not been a proven defense yet and will only slow an attacker down.
In summary never store sensitive data on your App, it cannot be protected.
If you want to find out how easy this is, check out the following tools:
https://code.google.com/p/dex2jar/
&
http://jd.benow.ca/
来源:https://stackoverflow.com/questions/20068909/how-to-avoid-reverse-engineering-of-an-apk-assets-folder-resources-items-file