问题
I assume someone's built an APK decompiler..... What's the best practice to secure sensitive info (like auth parameters for a backend database)? I suppose some kind of middleware would work but that can't do good things for speed. What's the "right way"?
回答1:
It's difficult to reverse-engineer Dalvik byte code; my understanding is that there's not a simple mapping back to Java byte code, much less to Java source, particularly if it's gone through ProGuard. However, auth parameters are usually data, not code, and that can be snooped for rather more easily. Moreover, someone interested in breaking your credentials has lots of other means of attack, including packet sniffing, that don't require recovering your source code. The comment by Anon is exactly right—don't trust the client.
As to best practices, you can use a public key encryption system, get credentials from the server, etc., to avoid putting sensitive info into the .apk file. Don't trust obfuscation or obscure byte code to keep your secrets. They won't.
回答2:
If you're writing an Andoid app and using AWS, strongly recommend you check out:
https://github.com/apetresc/awskeyserver
Author uses the AWS IAM (Identity and Access Management service) with Google App Engine to successfully protect authentication parameters. I imagine IAM will eventually be included in AWS' Android SDK but until then, this is a great option.
来源:https://stackoverflow.com/questions/5037425/how-can-you-protect-info-contained-in-an-apk