在 Android 应用程序中,在哪里安全地保存静态信息?
Where to keep static information securely in Android app?
在我的 Andorid 应用程序中,我使用很少的密钥和令牌进行身份验证和初始化。我需要将这些 静态密钥 安全地存储在应用程序中的某个位置。同时,我也需要在代码中访问它。
我知道我现在使用的 SharedPreference 和 Gradle 变量。我也尝试过 Cryptography,但是我还必须存储 secretKey 才能解密。
因此,我正在寻找任何解决方法或适当的解决方案。任何帮助将不胜感激。
你的问题
Where to keep static information securely in Android app?
无论您在哪里以及如何存储它们,因为从您发布移动应用程序的那一刻起,它上面的任何秘密现在都属于 public 域。
I have tried Cryptography as well, but then I will have to store the secretKey also for decryption.
您可以通过将其隐藏在 C 代码中来使其难以通过静态分析进行逆向工程,使用 Android 中的 JNI/NDK 接口,就像我在 Currency Converter Demo repo, but then if the attacker is not able to reverse engineer it this way, he will do it during run-time with an instrumentation framework, and a popular one is Frida 中所做的那样:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
另一种选择是尝试在运行时计算密钥,但 Frida 将再次挂钩执行此操作的函数并从其 return 值中提取密钥。
在 run-time 期间计算 HMAC 的基本代码示例可以在 ShipFast Demo 存储库中找到:
private fun calculateAPIRequestHMAC(url: URL, authHeaderValue: String): String {
val secret = JniEnv().getHmacSecret()
var keySpec: SecretKeySpec
// Configure the request HMAC based on the demo stage
when (currentDemoStage) {
DemoStage.API_KEY_PROTECTION, DemoStage.APPROOV_APP_AUTH_PROTECTION -> {
throw IllegalStateException("calculateAPIRequestHMAC() not used in this demo stage")
}
DemoStage.HMAC_STATIC_SECRET_PROTECTION -> {
// Just use the static secret to initialise the key spec for this demo stage
keySpec = SecretKeySpec(Base64.decode(secret, Base64.DEFAULT), "HmacSHA256")
Log.i(TAG, "CALCULATE STATIC HMAC")
}
DemoStage.HMAC_DYNAMIC_SECRET_PROTECTION -> {
Log.i(TAG, "CALCULATE DYNAMIC HMAC")
// Obfuscate the static secret to produce a dynamic secret to initialise the key
// spec for this demo stage
val obfuscatedSecretData = Base64.decode(secret, Base64.DEFAULT)
val shipFastAPIKeyData = loadShipFastAPIKey().toByteArray(Charsets.UTF_8)
for (i in 0 until minOf(obfuscatedSecretData.size, shipFastAPIKeyData.size)) {
obfuscatedSecretData[i] = (obfuscatedSecretData[i].toInt() xor shipFastAPIKeyData[i].toInt()).toByte()
}
val obfuscatedSecret = Base64.encode(obfuscatedSecretData, Base64.DEFAULT)
keySpec = SecretKeySpec(Base64.decode(obfuscatedSecret, Base64.DEFAULT), "HmacSHA256")
}
}
Log.i(TAG, "protocol: ${url.protocol}")
Log.i(TAG, "host: ${url.host}")
Log.i(TAG, "path: ${url.path}")
Log.i(TAG, "Authentication: $authHeaderValue")
// Compute the request HMAC using the HMAC SHA-256 algorithm
val hmac = Mac.getInstance("HmacSHA256")
hmac.init(keySpec)
hmac.update(url.protocol.toByteArray(Charsets.UTF_8))
hmac.update(url.host.toByteArray(Charsets.UTF_8))
hmac.update(url.path.toByteArray(Charsets.UTF_8))
hmac.update(authHeaderValue.toByteArray(Charsets.UTF_8))
return hmac.doFinal().toHex()
}
请记住,这是一个简单的解决方案,但即使是复杂的解决方案也容易受到攻击者使用的 Frida 脚本的攻击。
深度安全
So, am searching for any workaround or proper solution. Any help will be highly appreciated.
安全就是尽可能多地添加层,以使攻击者花费时间来克服所有这些问题,并提高攻击者所需技能的门槛。
所以使用 C 代码来隐藏秘密,比如解密密钥,将加密的秘密存储在 Android 密钥库中会丢弃脚本孩子,但会让你容易受到知道如何使用 Frida 脚本的攻击者的攻击连接到您的代码。
In my Andorid app, am using few keys and tokens for authentication and initialisations.
如果您正在尝试保护访问您的 API 的密钥,那么您可以阅读 to 以了解实施移动应用证明概念将使您无需存储秘密即可访问您的 API 服务器。出于初始化目的,我建议您将此逻辑移至后端,因为应用程序内的任何决策都可以 modified/bypassed 与 instrumentation Frameworks
还要考虑对您的所有代码库使用强大的混淆技术,这会在攻击者对您的移动应用程序进行逆向工程的步骤中增加另一层难度。
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的出色工作。
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
在我的 Andorid 应用程序中,我使用很少的密钥和令牌进行身份验证和初始化。我需要将这些 静态密钥 安全地存储在应用程序中的某个位置。同时,我也需要在代码中访问它。
我知道我现在使用的 SharedPreference 和 Gradle 变量。我也尝试过 Cryptography,但是我还必须存储 secretKey 才能解密。
因此,我正在寻找任何解决方法或适当的解决方案。任何帮助将不胜感激。
你的问题
Where to keep static information securely in Android app?
无论您在哪里以及如何存储它们,因为从您发布移动应用程序的那一刻起,它上面的任何秘密现在都属于 public 域。
I have tried Cryptography as well, but then I will have to store the secretKey also for decryption.
您可以通过将其隐藏在 C 代码中来使其难以通过静态分析进行逆向工程,使用 Android 中的 JNI/NDK 接口,就像我在 Currency Converter Demo repo, but then if the attacker is not able to reverse engineer it this way, he will do it during run-time with an instrumentation framework, and a popular one is Frida 中所做的那样:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
另一种选择是尝试在运行时计算密钥,但 Frida 将再次挂钩执行此操作的函数并从其 return 值中提取密钥。
在 run-time 期间计算 HMAC 的基本代码示例可以在 ShipFast Demo 存储库中找到:
private fun calculateAPIRequestHMAC(url: URL, authHeaderValue: String): String {
val secret = JniEnv().getHmacSecret()
var keySpec: SecretKeySpec
// Configure the request HMAC based on the demo stage
when (currentDemoStage) {
DemoStage.API_KEY_PROTECTION, DemoStage.APPROOV_APP_AUTH_PROTECTION -> {
throw IllegalStateException("calculateAPIRequestHMAC() not used in this demo stage")
}
DemoStage.HMAC_STATIC_SECRET_PROTECTION -> {
// Just use the static secret to initialise the key spec for this demo stage
keySpec = SecretKeySpec(Base64.decode(secret, Base64.DEFAULT), "HmacSHA256")
Log.i(TAG, "CALCULATE STATIC HMAC")
}
DemoStage.HMAC_DYNAMIC_SECRET_PROTECTION -> {
Log.i(TAG, "CALCULATE DYNAMIC HMAC")
// Obfuscate the static secret to produce a dynamic secret to initialise the key
// spec for this demo stage
val obfuscatedSecretData = Base64.decode(secret, Base64.DEFAULT)
val shipFastAPIKeyData = loadShipFastAPIKey().toByteArray(Charsets.UTF_8)
for (i in 0 until minOf(obfuscatedSecretData.size, shipFastAPIKeyData.size)) {
obfuscatedSecretData[i] = (obfuscatedSecretData[i].toInt() xor shipFastAPIKeyData[i].toInt()).toByte()
}
val obfuscatedSecret = Base64.encode(obfuscatedSecretData, Base64.DEFAULT)
keySpec = SecretKeySpec(Base64.decode(obfuscatedSecret, Base64.DEFAULT), "HmacSHA256")
}
}
Log.i(TAG, "protocol: ${url.protocol}")
Log.i(TAG, "host: ${url.host}")
Log.i(TAG, "path: ${url.path}")
Log.i(TAG, "Authentication: $authHeaderValue")
// Compute the request HMAC using the HMAC SHA-256 algorithm
val hmac = Mac.getInstance("HmacSHA256")
hmac.init(keySpec)
hmac.update(url.protocol.toByteArray(Charsets.UTF_8))
hmac.update(url.host.toByteArray(Charsets.UTF_8))
hmac.update(url.path.toByteArray(Charsets.UTF_8))
hmac.update(authHeaderValue.toByteArray(Charsets.UTF_8))
return hmac.doFinal().toHex()
}
请记住,这是一个简单的解决方案,但即使是复杂的解决方案也容易受到攻击者使用的 Frida 脚本的攻击。
深度安全
So, am searching for any workaround or proper solution. Any help will be highly appreciated.
安全就是尽可能多地添加层,以使攻击者花费时间来克服所有这些问题,并提高攻击者所需技能的门槛。
所以使用 C 代码来隐藏秘密,比如解密密钥,将加密的秘密存储在 Android 密钥库中会丢弃脚本孩子,但会让你容易受到知道如何使用 Frida 脚本的攻击者的攻击连接到您的代码。
In my Andorid app, am using few keys and tokens for authentication and initialisations.
如果您正在尝试保护访问您的 API 的密钥,那么您可以阅读
还要考虑对您的所有代码库使用强大的混淆技术,这会在攻击者对您的移动应用程序进行逆向工程的步骤中增加另一层难度。
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的出色工作。
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.