问题描述
我正在开发一个涉及付款的应用程序.我将在应用程序中采用某种加密方式,并在服务器后端采用某种加密方式和安全性.
I am developing an application which involves payments. I will employ some sort of encryption in the app and also some encryption and security on the server backend.
我想知道在部署到Android时特别要保护我的Xamarin代码.我知道Xamarin.iOS会转换为本机代码,但Xamarin.Android会在DLL中部署.Net代码,可以使用DotPeek或任何其他工具轻松将其反编译,并且该代码将可见,包括我的加密密钥或任何其他与安全相关的数据,服务器与我的应用之间的安全性所必需.混淆是一个选项,但我想知道其他任何选项.请为我提供指导,因为这是我非常关心的问题.
I want to know to secure my Xamarin code specially when deploying to Android. I know that Xamarin.iOS converts to native code but Xamarin.Android deploys the .Net code in DLL which can easily be decompiled using DotPeek or any other tool and the code will be visible including my encryption keys or any other security related data which is necessary for security between server and my app. Obfuscation is an option but I want to know any other options. Please guide me on this issue because it is of much concern to me.
推荐答案
直接回答您的问题:不,没有内在的功能可以保护Xamarin编译的Android应用免受逆向工程攻击.
To answer your question directly: No, there is nothing inherently protecting a Xamarin-compiled Android app from reverse engineering attacks.
就像您必须使用ProGuard之类的工具来捍卫APK中的Android原生代码一样,包含您应用的业务逻辑的.NET程序集将要求您采取特殊措施来混淆,加密或以其他方式捍卫那些窥探的眼睛.有了一个相对较小的.NET工具链,并且有兴趣通过中间语言代码进行探索,您可以了解很多有关应用程序组合方式的知识.只需清楚一点,ProGuard只会混淆应用程序的Java代码,并且不对Xamarin编译的APK中发现的.NET程序集提供保护.
Just as you must take action to defend the Android-native code in your APK with tools like ProGuard, the .NET assembly that contains your app's business logic will require you to take special action to obfuscate, encrypt, or otherwise defend the assembly from those prying eyes. With a relatively small .NET toolchain and the interest to go spelunking through Intermediate Language code, one can learn quite a bit about how an app is put together. Just to be clear, ProGuard only obfuscates the app's Java code, and offers no protection for .NET assemblies found within Xamarin-compiled APKs.
正如您的问题以及问题注释中所指出的那样,诸如DotPeek,ildasm,ILSpy和Reflector之类的工具提供了一种非常简便(并且在许多情况下是免费的)检查.NET程序集的方法.这些工具提供了将大量IL代码转换回更高级别的.NET语言(如C#或VB.NET)的机制.只需付出一些额外的努力,即可将这些更高级别的类插入Visual Studio或Xamarin Studio解决方案中,并转换回正在运行的代码-eep!由于Xamarin.Android使用即时编译功能,因此除了在Android本地代码上提供类似于ProGuard的解决方案外,您还可以实现混淆器(如.Net的Babel或.NET的Crypto-Obfuscator),以提供大量开发人员可配置的混淆技术/规则以及对部件进行加密的选项.
As pointed out in your question as well as within the question's commentary, tools like DotPeek, ildasm, ILSpy, and Reflector offer an incredibly easy (and in many cases free!) way to go inspect a .NET assembly and many of these tools offer mechanisms to transform substantial swaths of IL code back to a higher level .NET language like C# or VB.NET. With a little additional effort, these higher-level classes can be plugged into a Visual Studio or Xamarin Studio solution and converted back to running code -- eep! Since Xamarin.Android uses Just-In-Time compilation, in addition to a ProGuard-like solution on your Android-native code, you can implement an obfuscator like Babel for .Net or Crypto-Obfuscator for .Net that offer a host of developer-configurable obfuscation techniques/rules as well as options to encrypt parts of the assembly.
尽管这些工具使逆向工程的猫捉老鼠游戏变得更加困难,但我们最终还是在谈论尝试保护客户端代码;那些决心要查看底层实现并有耐心的人,将能够在二进制文件和程序集中剩下的线索中搜寻,以开始制定正在使用的混淆或加密技术.虽然没有100%安全的工具,机制或安全性方法,但您可以通过对安全性应用分层方法来降低风险,同时着眼于花费时间的风险与成本/影响"来实施多层方法和采用这些额外的安全措施会带来额外的复杂性.正如 SilverlightFox 所建议的那样,在组织的其余平台的背景下聘请安全专家来审核您的应用程序可能是朝着确定其他需要改进的领域,突出潜在的关注领域或获取建议的方向迈出的重要一步.进一步改善您组织选择的平台安全方法.
While these tools make the cat-and-mouse game of reverse engineering more difficult, we are ultimately talking about trying to protect client-side code; those that are determined to look at the underlying implementation and have the patience to do so will be able to hunt through the clues left in your binaries and assemblies to start to work out obfuscation or encryption techniques that are in use. While there is no 100% secure tool, mechanism, or security approach, you can reduce risk by applying a layered approach to security with an eye towards the 'risk vs. costs/impact' of spending time both implementing a multi-layered approach and the additional complexity introduced by adoption of these additional security measures. As SilverlightFox recommends, engaging a security professional to audit your application in the context of the rest of your organization's platforms can be an important step towards identifying additional areas for improvement, highlighting potential areas of concern or getting recommendations towards further improving your organization's selected approach to platform security.
这篇关于Xamarin代码安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!