如果把AppID和AppKey明文写在Java文件或资源文件里,apk反编译的话就能够看到了,然后就可以任意访问到服务器端的数据了。有没有什么好办法保证安全性? 当然保存在so文件里也是一种方法,但是稍略显麻烦,Java端调用的自己写的方法,别人也可以调用。其实,担心的是被反编译修改逻辑代码后再次签名再发布依旧能够通过服务器验证,这样没办法保证安全性了。
天蓬老师2017-04-17 11:49:47
First of all, consider how to ensure security if you don’t use AVOS Cloud and write the server yourself. It is definitely not possible to ask the client to send a fixed password. You will establish an account system and decide whether a certain operation can be allowed based on the currently logged in user. Using AVOS Cloud is exactly the same. We provide management of user permissions through ACL. You can control the permissions of users or user groups for each object or class: https://cn.avoscloud.com/docs/data_security .html#%E5%AE%89%E5%85%A8%E6%80%A7
Of course this is assuming you have an account system. If you do not have an account system, whether you write your own server program or use AVOS Cloud, you cannot prevent others from sending arbitrary requests to your server. In this case, you can use ACL to set all classes as read-only, and use cloud code or master key to write data from a program that you fully control. This situation generally only applies to information applications without UGC.
In short, AppID and AppKey mainly play the role of application identification, and you should not rely on the confidentiality of AppID and AppKey to ensure security. This is the same as if you write your own server, you will not use a password hard-coded on the client to ensure security.
高洛峰2017-04-17 11:49:47
There has been a lot of discussion about this issue. For details, please refer to the following reply on Zhihu:
http://www.zhihu.com/question/23145495/answer/24061566
In addition, we have also added application option settings to better protect your data:
http://blog.avoscloud.com/657/
大家讲道理2017-04-17 11:49:47
Love Encryption uses the technology of packing apk. The packed program can effectively prevent the disassembly and analysis of the program and will not destroy or modify the source program. At the same time, it provides comprehensive security services, including channel monitoring, security testing, app encryption, legal support, etc. Moreover, the APK source code security protection is encryption protection for major files such as DEX, RES, and SO libraries, which can effectively prevent the APK from being cracked and decompiled! ! !
For details, you can go to: www.ijiami.cn
iCrypto currently proposes three layers of encryption protection: DEX packing protection, DEX command dynamic loading protection, and advanced obfuscation protection, which can ensure the dynamic security and static security of the APP, so that there will be no chance of any cracking. iEncryption has launched SO library protection, and the code at the C/C++ level has been professionally protected. iEncryption provides customized services, and the specific price is determined according to the needs of the developer!
