Proguard是否足以通过渗透测试?

这是新的onCreate()方法:protected void onCreate(Bundle bundle) { //... this.f1859o = PreferenceManager.getDefaultSharedPreferences(this); this.f1860p = this.f1859o.getBoolean(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~"), false); if (!this.f1860p) { m3099j(); }}这是第二个示例，其中的硬编码字符串已被黑客视图完全隐藏:public String m3101a(String str) { PrintStream printStream = System.out; StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}}")); stringBuilder.append(str); String stringBuilder2 = stringBuilder.toString(); return str.equals(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}|")) ? k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}s") : str.equals(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}r")) ? k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~{") : str.equals(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~z")) ? k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~y") : k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~x");}这是您通过渗透测试所需的防护等级最后，作为一项附加的安全措施，这种专业工具也可能能够检测到受保护的不可读"代码中的修改，并且如果检测到对受保护版本的篡改操作，则可以停止执行该应用.而且，与简单的[但很漂亮] ProGuard不同，它可以对模拟器，植根设备和其他潜在危险场景进行检测请注意如何通过这些步骤强化代码.没有人能100％安全地被黑客入侵.您的工作只会使工作变得尽可能困难，仅此而已For our android mobile app , we have to choose an obfuscation tool so that our app will pass penetration test cases. Is Proguard enough for the same or we should use Dexguard? 解决方案 Obfuscation is NOT enough to pass a penetration testA proper penetration test will analyze both static and runtime behavior of your app, so the runtime behavior will not be covered at all only through obfuscationBut also considering exclusively the static analysis that you will undergo you are far from being secureI'll make you a practical easy example because the differences between the two tools you suggested are already reported in another answerSay that you have an original unobfuscated MainActivity given by:protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); //... // lines for adding the shortcut in the home screen appPreferences = PreferenceManager.getDefaultSharedPreferences(this); isAppInstalled = appPreferences.getBoolean("isAppInstalled", false); if(isAppInstalled == false) addShortcut();where:private void addShortcut() { //Adding shortcut // ... addIntent.setAction("com.android.launcher.action.INSTALL_SHORTCUT"); // ... SharedPreferences.Editor editor = appPreferences.edit(); editor.putBoolean("isAppInstalled", true); editor.commit();}These are the coounterparts obfuscated by ProGuard and taken through an online Java decompilerConclusions:1) as you can see - despite the proguard obfuscation - you are in a position where an attacker can easily modify the code flow [e.g. turning if (!this.f2293p) into if (this.f2293p)] and easily understand what you have to do to modify a value in your app, despite obfuscation. In this case it was a simple stupid "isAppInstalled" preference but of course it could have been something more sensitive like:public boolean appIsPurchased(){ return settings.getBoolean(keyPurchase,false);}PS storing unencrypted Shared Preferences [especially if containing sensitive data] is a very bad practice, this is just a quick example for demonstrational purposes. In rooted devices retrieving this file is just equal to browse to a system folder and search for an xml file2) moreover in general this pure obfuscation will not hide anything which is hardcoded. We already saw that:editor.putBoolean("isAppInstalled", true);was transformed in:this.f2293p = this.f2292o.getBoolean("isAppInstalled", false);Another simple example can be:if (barcode.equals("123456")) { return "Hat";}if (barcode.equals("234567")) { return "Jumper";}if (barcode.equals("345678")) { return "Pants";}return "Troubles detecting the new item";becoming after obfuscation:return str.equals("123456") ? "Hat" : str.equals("234567") ? "Jumper" : str.equals("345678") ? "Pants" : "Troubles detecting the new item";Such strings are cheeky hints for people whose purpose is breaking your purely obfuscated app. For example your endpoints strings would be available to anyoneSo you need a tool like DexGuard or other commercial solutions able to produce something more complex than simple obfuscationThis is an example of the final result from ProGuard + third-party security tool [I do not have DexGuard, I use another one where protection is automatically applied through a drag'n'drop of the original unprotected apk]This is the new onCreate() method:protected void onCreate(Bundle bundle) { //... this.f1859o = PreferenceManager.getDefaultSharedPreferences(this); this.f1860p = this.f1859o.getBoolean(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~"), false); if (!this.f1860p) { m3099j(); }}while this is the second example with hardcoded strings that have been totally hidden from the hacker view:public String m3101a(String str) { PrintStream printStream = System.out; StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}}")); stringBuilder.append(str); String stringBuilder2 = stringBuilder.toString(); return str.equals(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}|")) ? k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}s") : str.equals(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("}r")) ? k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~{") : str.equals(k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~z")) ? k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~y") : k09kcah9u6scvhh4ab059fbmtq.itg7jcg3c4din73t0cib8n7eau("~x");}This is the degree of protection you need to pass the penetration testFinally - as an additional safety measure - this kind of professional tools may also able to detect modifications in the protected "unreadable" code and stop the app execution if a tampering action on the protected version is detected. And also, unlike the simple [but beautiful] ProGuard, implement the detection for emulators, rooted devices and other potentially dangerous scenariosPlease note how the code was hardened through these steps. No one is 100% safe from being hacked. Your job is only making it as difficult as possible, that's it 这篇关于Proguard是否足以通过渗透测试?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！上岸，阿里云！