我正在寻找一种在 WP7 应用程序中安全存储 API key 的方法。 key 是一个字符串,目前已硬编码到代码中(见下文)。我知道有反射程序的人可以很容易地看到这个。有没有更好的方法将此 key 打包为我的应用程序的一部分?资源会更安全吗?
string key = "DSVvjankjnersnkaecjnDFSD44VDS23423423rcsedzcadERVSDRFWESDVTsdt";
(这实际上不是关键;))
提前谢谢你。
最佳答案
看看Safeguard Database Connection Strings and Other Sensitive Settings in Your Code , 这是一本好书。您的问题在“在应用程序源代码中隐藏 key ”部分。
摘录:
If you define the key in the application, in addition to obfuscating the assembly, try not to store the actual key bytes in the source code. Instead, implement key-generation logic using persistent characteristics, such as the encryption algorithm, key size, pass phrase, initialization vector, and salt (see an example at Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key). This will introduce an extra layer of indirection, so the key will not be accessible by simply dumping the symbols from the application binary. As long as you do not change key-generation logic and key characteristics, the resulting key is guaranteed to be the same. It may also be a good idea not to use static strings as key-generation characteristics, but rather build them on the fly. Another suggestion would be to treat the assembly the same way as the data store should be treated, that is, by applying the appropriate ACLs. And only use this option as a last resort, when none of the other data protection techniques work and your only alternative is leaving sensitive data unencrypted.
关于c# - 如何在 C# 中安全地嵌入静态字符串( key )?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9511989/