问题描述
我已经'担保'我的Android应用程序和TLS服务器提供金融交易服务,目前正在开发之间的沟通。
I have 'secured' the communication between my android application and a tls server providing a financial transaction service, currently in development.
凭据存储在BKS密钥库的安全性包括在Android APK。密码密钥库是在应用程序源代码的纯文本可见:
The security credentials are stored in a BKS keystore included in the Android apk. The password to the keystore is visible in plain text in the application source:
keyStore.load(就是passwd文件.toCharArray());
我担心,如果有人是逆向工程的应用程序,他们将能够冒充其他用户,并危及服务的安全性。
I am concerned that if someone was to reverse engineer the app, they would be able to impersonate another user and compromise the security of the service.
我不知道是否有我的执行出现故障,如果任何人有这种担心,什么保护这种可能性的最好的方法是。
I was wondering whether there is a fault in my implementation, if anyone else has this concern, and what the best method of securing against this possibility is.
推荐答案
我相信,的Diffie-Hellman密钥交换就是我一直在寻找。我宁愿没有重新实现使用一个复杂的过程,其中涉及用户我DH的自己的版本。
I believe that Diffie-Hellman Key Exchange is what I was looking for. I'd rather not have to re-implement my own version of DH using a complicated process which involves the user.
这篇关于保护Android应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!