1

I'm currently stuck with the security in my app. My application records the GPS location of the user every 10 minutes and after 12 hours it sends the data to a server. I'm currently saving the location of the user in a *.txt file in the internal memory. Now, I need to secure this file so it can only be edited my application so the user cannot hack it and change the gps locations recorded.

I've read about encrypting the strings or the file itself but here is my question. All over stackoverflow people do not recommend to hardcode the password even with code obfuscation. How else can I secure the data on this file? Using ProGuard + code obfuscation by myself (bit shifting, mathematical operations, etc) isn't enough to save the password in my code? Any comments appreciated, I need this to be secure as the data must remain untouched. Thanks!!

4

1 回答 1

3

如果密码在内存中,即使未加密/混淆,如果用户知道他们在做什么,它也可以被恢复和/或滥用。

要解决此问题,您应该让应用程序从服务器请求密钥以用于加密。密钥本身应该使用 SSL 加密/签名,这样您就可以保证您的服务器发送了密钥,并且在此过程中密钥不会被截获。立即从内存中清除密钥,使其不再保留在设备上。

这个解决方案仍然不是万无一失的。用户可以对应用程序进行逆向工程并告诉它使用任何旧密钥。只要您将坐标存储在设备上,它们就会以某种方式受到攻击。使用我刚刚描述的技术,攻击者仍然可以欺骗 GPS 源,或者使用重放攻击。为了防止这种情况,您需要为每次保存使用不同的密钥,并在服务器上跟踪应用密钥的顺序。

更安全的方法是根本不在设备上存储位置。一旦它们可用,就立即上传它们,使用加密/签名 SSL 方法来防止篡改。在服务器上对其进行健全性检查,以排除不良的欺骗工作。当信任来自设备的数据(例如 GPS 坐标)时,您就有被聪明的攻击者操纵的风险。

于 2013-02-28T18:38:58.940 回答