如何在 Android 上安全地存储硬编码的 API 密钥?
How to securely store a hardcoded API key on Android?
在我的 Android 项目中,我想以安全的方式存储一个 API 密钥。该密钥是从应用程序外部生成的,需要在构建应用程序之前以某种方式存储在应用程序中。
我看过一些如何使用 KeyStore 的示例(如 this or this),但据我所知,这些是存储运行时生成的密钥的解决方案,而不是我想要的密钥存储在我的代码中。
我还检查了解释的其他方法 here,但它们看起来 API 密钥可以很容易地通过逆向工程检索到。
我也不想将我的密钥存储在我的代码中,还因为它可以很容易地通过逆向工程检索。
它的目的是能够在我每次调用我创建的网络服务时发送该密钥,所以我确定(或几乎确定)该调用来自我正在使用的原始应用程序将在 Play 商店中发布,而不是从其他地方发布。
我远不是安全专家,因此我们将不胜感激。
谢谢。
你的挑战
The purpose of it is to be able to send that key everytime I call a webservice that I've made, so I'm sure (or almost sure) that the call comes from the original app that I'm making and that will be published on the Play Store, and not from elsewhere.
这是一项非常艰巨的任务,但并非不可能完成,这就是人们需要深入研究移动 API 安全并了解其背后机制的地方。
清楚地了解 who 在 API 请求中与 what 的区别是很重要的API 请求,否则您可能 devise/use 的任何安全解决方案都可能达不到预期的结果。
访问 API 服务器的 WHO 和 WHAT 之间的区别
我写了一系列关于API和移动安全的文章,在文章Why Does Your Mobile App Need An Api Key?中你可以详细阅读who和之间的区别什么 正在访问您的 API 服务器,但我将在这里提取主要内容:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
因此,您需要将 who 视为用户,您的 API 服务器将能够对数据进行身份验证和授权访问,并且您需要将 what 视为代表用户发出该请求的软件。
逆向工程
I also don't want to store my key in my code, also because it could easily be retrieved via reverse engineering.
非常正确,根据隐藏 API 键的方法,或多或少可以轻松实现,如您提到的那样:
I've also checked the other methods explained here, but they look like the API key could quite easily be retrieved thanks to reverse engineering.
无论 API 密钥的存储多么安全,无论是在 Android 密钥库中、加密、混淆等,在某些时候 API 密钥都需要以纯文本形式在 API 请求 header 上发送,此时它很容易通过静态逆向工程、MitM 攻击或仪器框架提取
我写了文章 How to Extract an API key from a Mobile App with Static Binary Analysis 来说明它是多么容易完成:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.
我另外写了一篇文章在运行时实现,Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
也可以在运行时使用检测框架来挂钩使用 API 键的代码以提取它。例如流行的 Frida framework:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
因此,无论采取什么措施来保护 API 密钥,一旦它出现在 API 请求中,就很容易被提取。
移动API安全
任何在客户端运行并需要一些秘密才能访问 API 的东西都可能以不同的方式被滥用,您可以在 this series 上关于移动 API 的文章中了解更多信息安全技术。本文将教您如何使用 API 密钥、用户访问令牌、HMAC 和 TLS 固定来保护 API 以及如何绕过它们。
可能的解决方案
我建议您阅读 this answer 我提出的问题 How to secure an API REST for mobile app?,尤其是部分 加固和屏蔽移动应用、保护API服务器和可能更好的解决方案。
您的问题可能的最佳解决方案由移动应用证明已知,这将让您的后端知道什么正在提出请求确实是您的真实且未篡改的版本移动应用,如你所愿实现:
The purpose of it is to be able to send that key everytime I call a webservice that I've made, so I'm sure (or almost sure) that the call comes from the original app that I'm making and that will be published on the Play Store, and not from elsewhere.
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的优秀作品。
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
在我的 Android 项目中,我想以安全的方式存储一个 API 密钥。该密钥是从应用程序外部生成的,需要在构建应用程序之前以某种方式存储在应用程序中。
我看过一些如何使用 KeyStore 的示例(如 this or this),但据我所知,这些是存储运行时生成的密钥的解决方案,而不是我想要的密钥存储在我的代码中。
我还检查了解释的其他方法 here,但它们看起来 API 密钥可以很容易地通过逆向工程检索到。
我也不想将我的密钥存储在我的代码中,还因为它可以很容易地通过逆向工程检索。
它的目的是能够在我每次调用我创建的网络服务时发送该密钥,所以我确定(或几乎确定)该调用来自我正在使用的原始应用程序将在 Play 商店中发布,而不是从其他地方发布。
我远不是安全专家,因此我们将不胜感激。
谢谢。
你的挑战
The purpose of it is to be able to send that key everytime I call a webservice that I've made, so I'm sure (or almost sure) that the call comes from the original app that I'm making and that will be published on the Play Store, and not from elsewhere.
这是一项非常艰巨的任务,但并非不可能完成,这就是人们需要深入研究移动 API 安全并了解其背后机制的地方。
清楚地了解 who 在 API 请求中与 what 的区别是很重要的API 请求,否则您可能 devise/use 的任何安全解决方案都可能达不到预期的结果。
访问 API 服务器的 WHO 和 WHAT 之间的区别
我写了一系列关于API和移动安全的文章,在文章Why Does Your Mobile App Need An Api Key?中你可以详细阅读who和之间的区别什么 正在访问您的 API 服务器,但我将在这里提取主要内容:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
因此,您需要将 who 视为用户,您的 API 服务器将能够对数据进行身份验证和授权访问,并且您需要将 what 视为代表用户发出该请求的软件。
逆向工程
I also don't want to store my key in my code, also because it could easily be retrieved via reverse engineering.
非常正确,根据隐藏 API 键的方法,或多或少可以轻松实现,如您提到的那样:
I've also checked the other methods explained here, but they look like the API key could quite easily be retrieved thanks to reverse engineering.
无论 API 密钥的存储多么安全,无论是在 Android 密钥库中、加密、混淆等,在某些时候 API 密钥都需要以纯文本形式在 API 请求 header 上发送,此时它很容易通过静态逆向工程、MitM 攻击或仪器框架提取
我写了文章 How to Extract an API key from a Mobile App with Static Binary Analysis 来说明它是多么容易完成:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.
我另外写了一篇文章在运行时实现,Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
也可以在运行时使用检测框架来挂钩使用 API 键的代码以提取它。例如流行的 Frida framework:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
因此,无论采取什么措施来保护 API 密钥,一旦它出现在 API 请求中,就很容易被提取。
移动API安全
任何在客户端运行并需要一些秘密才能访问 API 的东西都可能以不同的方式被滥用,您可以在 this series 上关于移动 API 的文章中了解更多信息安全技术。本文将教您如何使用 API 密钥、用户访问令牌、HMAC 和 TLS 固定来保护 API 以及如何绕过它们。
可能的解决方案
我建议您阅读 this answer 我提出的问题 How to secure an API REST for mobile app?,尤其是部分 加固和屏蔽移动应用、保护API服务器和可能更好的解决方案。
您的问题可能的最佳解决方案由移动应用证明已知,这将让您的后端知道什么正在提出请求确实是您的真实且未篡改的版本移动应用,如你所愿实现:
The purpose of it is to be able to send that key everytime I call a webservice that I've made, so I'm sure (or almost sure) that the call comes from the original app that I'm making and that will be published on the Play Store, and not from elsewhere.
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的优秀作品。
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.