android 上应用内购买的密钥生成示例

Question

在sdk\extras\google\play_billing的内购示例应用中，有如下评论

/* base64EncodedPublicKey should be YOUR APPLICATION'S PUBLIC KEY
         * (that you got from the Google Play developer console). This is not your
         * developer public key, it's the *app-specific* public key.
         *
         * Instead of just storing the entire literal string here embedded in the
         * program,  construct the key at runtime from pieces or
         * use bit manipulation (for example, XOR with some other string) to hide
         * the actual key.  The key itself is not secret information, but we don't
         * want to make it easy for an attacker to replace the public key with one
         * of their own and then fake messages from the server.
         */

谁能帮我举个例子，在运行时从片段生成密钥或使用位操作？那部分我不清楚。

谢谢

Answer 1

这只是意味着你不应该把你的密钥留在一个普通的字符串常量中，因为可能即使通过混淆它也不能从好奇的眼睛中隐藏...

因此，从不同的条带构建密钥，例如，假设密钥是“123456”。您可以通过连接 1L + "23"，然后将其解析为 Long，乘以 1000 并添加 456 来获得相同的字符串：

    Long longVal = 1L;
String code = longVal.toString() + "23";
longVal = Long.parseLong(code) * 1000L + 456;

在编译后的字节码中，它会有点扭曲，即使通过反编译，所有内容看起来也会更加丑陋和难以阅读。顺便提一句。也许你也可以 bitwise 一点。

更多信息：Protect string constant against reverse-engineering