java - 如何保护 Android 应用程序的安全

Question

为了应用程序内的安全性，我使用以下方法来生成 Keyhash。

private String getKeyHash() {
        PackageInfo info;
        String keyHash = null;
        try {
            info = getPackageManager().getPackageInfo(BuildConfig.APPLICATION_ID, PackageManager.GET_SIGNATURES);
            for (Signature signature : info.signatures) {
                MessageDigest md;
                //md = MessageDigest.getInstance(hashStretagy);
                md = MessageDigest.getInstance("SHA");
                //md = MessageDigest.getInstance(getK);
                md.update(signature.toByteArray());
                keyHash = new String(Base64.encode(md.digest(), Base64.NO_WRAP));
                Log.v("KeyHash : " , keyHash);

            }
        } catch (PackageManager.NameNotFoundException e1) {
            Log.v("name not found" , e1.toString());
        } catch (NoSuchAlgorithmException e) {
            Log.v("no such an algorithm" , e.toString());
        } catch (Exception e) {
            Log.v("exception" , e.toString());
        }
        return keyHash;
    }

除了上述在调用 API 时保护应用程序的方法之外，是否有任何有效的方法来生成 keyhash。

我们可以创建 SHA256 key 吗？这个 SHA256 key 可以在构建 APK 后进行逆向工程吗？请帮助我解决这个问题。提前致谢。

Answer 1

仪器框架

For security within application, I am using below method to generate Keyhash.

无论什么类型的代码以及您对其进行了多少混淆，攻击者所需要的只是在运行时使用开源检测框架(例如Frida)连接到您的移动应用程序。 :

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

因此，攻击者发现您正在调用的函数，然后它会 Hook 它以监听返回结果并将其提取到命令和控制服务器，或者只是将其修改为他喜欢的任何值。

逆向工程

Can we create SHA256 key, is this SHA256 key can be reverse engineered after building APK?

是的，你可以，我最喜欢的工具是 MobSF - Mobile Security Framework :

Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.

您可以阅读文章How to Extract an API Key from a Mobile App with Static binary Analysis看看我如何使用 MobSF 提取 API key ，但查找和提取任何其他类型 secret 的过程将类似。

您可以通过使用 JNI/NDK 将 secret 隐藏在 native C 代码中，从而通过静态分析使 secret 难以发现。 :

Using Android Studio 2.2 and higher, you can use the NDK to compile C and C++ code into a native library and package it into your APK using Gradle, the IDE's integrated build system. Your Java code can then call functions in your native library through the Java Native Interface (JNI) framework.

有关示例实现，请参阅 this folder对于 Currency Converter Demo ，这是文章 Steal that API Key with a Man in the Middle Attack 的配套移动应用程序:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

本文向您展示如何使用代理进行中间人攻击，这是另一种广泛用于从移动应用程序中提取 secret 的技术。当我无法通过静态分析找到 secret 时，我发现它非常有用。

在文章中我使用了一个非常流行的开源工具，mitmproxy :

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

将 API 锁定到移动应用

is there any effective way for generating keyhash other than above method for securing application while calling API's.

我认为您正在寻找的是锁定您的 API 服务器以仅接受来自您的移动应用程序的请求，如果是这种情况，请阅读 this reply我针对保护 API 服务器和可能的更好解决方案部分提出了问题如何保护移动应用的 API REST？。

基本上，在该回复中，您可以学习多种技术来保护您的 API 服务器，并尝试以高度的信心将其锁定到您的移动应用程序。

您想加倍努力吗？

在对安全问题的任何回答中，我认为有必要引用 OWASP 基金会的出色工作。

对于移动应用

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide :

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

对于 APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.