[Android]将敏感信息放在native层一定是安全的么?
2020-11-29 本文已影响0人
dafasoft
我们在编写Android应用时,如果客户端需要保存一些敏感信息,比如加密的key等等,一般会将这个信息放在native层,然后打一个so包出来供上层调用
但是这样就一定是安全的么?
我们都知道在java中编写的native方法是不会被混淆的,如果被混淆那么native调用会报错。因此,假如我们的apk包被破解,那么破解的人很容易拿反编译的代码找到native代码的声明类,当拿到声明类的时候,破解者新建一个工程,定义一个一模一样的包名和类名,再将我们大号的so包copy过去他就可以在这个新工程中直接调用到我们so包的代码了
那么有没有什么方法可以避免这种状况呢
这时候肯定会有聪明的同学想到,我们可以在native代码中增加包名的校验,如果包名不是我们定义的包名,就不予处理
嗯。。。。这种方式确实增加了一些安全性,但要说增加了多少嘛,我感觉很有限,因为包名是公开信息,别人只需要将新建工程的包名弄成和我们一样的就可以了
这时候我们会想,看来得用打包信息中别人拿不到的信息做校验了。那么,有什么信息是别人拿不到的呢?那就是签名啦!破解者在生成签名包时他基本不可能拿到我们的签名文件,因此,我们只需要交验一下签名是否和我们的一致就可以了
talking is cheap show me your code,下面我们用一个简单的案例实践一下
const char hexcode[] = {'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};
extern "C" JNIEXPORT jstring JNICALL
Java_com_test_sign_util_SpecialUtils_getString(
JNIEnv* env,
jclass jcl, jobject context_object) {
jclass context_class = env->GetObjectClass(context_object);
//context.getPackageManager()
jmethodID methodId = env->GetMethodID(context_class, "getPackageManager", "()Landroid/content/pm/PackageManager;");
jobject package_manager_object = env->CallObjectMethod(context_object, methodId);
if (package_manager_object == NULL) {
//拿不到PackageManager直接返回null
//__android_log_print(ANDROID_LOG_INFO, "JNITag","getPackageManager() Failed!");
return NULL;
}
//context.getPackageName()
methodId = env->GetMethodID(context_class, "getPackageName", "()Ljava/lang/String;");
jstring package_name_string = (jstring)env->CallObjectMethod(context_object, methodId);
char* package = "YOUR APP PACKAGE NAME";
jstring jpackage = env->NewStringUTF(package);
jclass cls = env->GetObjectClass(jpackage);
jmethodID mID = env->GetMethodID(cls, "equals", "(Ljava/lang/Object;)Z");
jboolean equals = env->CallBooleanMethod(package_name_string, mID, jpackage);
if (!equals) {
return NULL;
}
env->DeleteLocalRef(context_class);
jclass pack_manager_class = env->GetObjectClass(package_manager_object);
methodId = env->GetMethodID(pack_manager_class, "getPackageInfo", "(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;");
env->DeleteLocalRef(pack_manager_class);
jobject package_info_object = env->CallObjectMethod(package_manager_object, methodId, package_name_string, 64);
if (package_info_object == NULL) {
//拿不到Packageinfo直接返回null
//__android_log_print(ANDROID_LOG_INFO, "JNITag","getPackageInfo() Failed!");
return NULL;
}
env->DeleteLocalRef(package_manager_object);
//PackageInfo.signatures[0]
jclass package_info_class = env->GetObjectClass(package_info_object);
jfieldID fieldId = env->GetFieldID(package_info_class, "signatures", "[Landroid/content/pm/Signature;");
env->DeleteLocalRef(package_info_class);
jobjectArray signature_object_array = (jobjectArray)env->GetObjectField(package_info_object, fieldId);
if (signature_object_array == NULL) {
//拿不到signatures直接返回null
//__android_log_print(ANDROID_LOG_INFO, "JNITag","PackageInfo.signatures[] is null");
return NULL;
}
jobject signature_object = env->GetObjectArrayElement(signature_object_array, 0);
env->DeleteLocalRef(package_info_object);
//签名信息转换成sha1值
jclass signature_class = env->GetObjectClass(signature_object);
methodId = env->GetMethodID(signature_class, "toByteArray", "()[B");
env->DeleteLocalRef(signature_class);
jbyteArray signature_byte = (jbyteArray) env->CallObjectMethod(signature_object, methodId);
jclass byte_array_input_class=env->FindClass("java/io/ByteArrayInputStream");
methodId=env->GetMethodID(byte_array_input_class,"<init>","([B)V");
jobject byte_array_input=env->NewObject(byte_array_input_class,methodId,signature_byte);
jclass certificate_factory_class=env->FindClass("java/security/cert/CertificateFactory");
methodId=env->GetStaticMethodID(certificate_factory_class,"getInstance","(Ljava/lang/String;)Ljava/security/cert/CertificateFactory;");
jstring x_509_jstring=env->NewStringUTF("X.509");
jobject cert_factory=env->CallStaticObjectMethod(certificate_factory_class,methodId,x_509_jstring);
methodId=env->GetMethodID(certificate_factory_class,"generateCertificate",("(Ljava/io/InputStream;)Ljava/security/cert/Certificate;"));
jobject x509_cert=env->CallObjectMethod(cert_factory,methodId,byte_array_input);
env->DeleteLocalRef(certificate_factory_class);
jclass x509_cert_class=env->GetObjectClass(x509_cert);
methodId=env->GetMethodID(x509_cert_class,"getEncoded","()[B");
jbyteArray cert_byte=(jbyteArray)env->CallObjectMethod(x509_cert,methodId);
env->DeleteLocalRef(x509_cert_class);
jclass message_digest_class=env->FindClass("java/security/MessageDigest");
methodId=env->GetStaticMethodID(message_digest_class,"getInstance","(Ljava/lang/String;)Ljava/security/MessageDigest;");
jstring sha1_jstring=env->NewStringUTF("SHA1");
jobject sha1_digest=env->CallStaticObjectMethod(message_digest_class,methodId,sha1_jstring);
methodId=env->GetMethodID(message_digest_class,"digest","([B)[B");
jbyteArray sha1_byte=(jbyteArray)env->CallObjectMethod(sha1_digest,methodId,cert_byte);
env->DeleteLocalRef(message_digest_class);
//转换成char
jsize array_size=env->GetArrayLength(sha1_byte);
jbyte* sha1 =env->GetByteArrayElements(sha1_byte,NULL);
char *hex_sha=new char[array_size*2+1];
for (int i = 0; i <array_size ; ++i) {
hex_sha[2*i]=hexcode[((unsigned char)sha1[i])/16];
hex_sha[2*i+1]=hexcode[((unsigned char)sha1[i])%16];
}
hex_sha[array_size*2]='\0';
jstring getSha1 = env->NewStringUTF(hex_sha);
// 这里是你自己签名文件的sha1值
char* thisSha1 = "YOUR SINGN FILE SHA1";
jstring jThisSha1 = env->NewStringUTF(thisSha1);
jclass sha1Cls = env->GetObjectClass(jThisSha1);
jmethodID sha1Id = env->GetMethodID(sha1Cls, "equals", "(Ljava/lang/Object;)Z");
jboolean sha1Equals = env->CallBooleanMethod(getSha1, sha1Id, jThisSha1);
// 与我们获取到的调用者的SHA1值进行对比,如果相同则说明是我们自己的包
if (sha1Equals) {
// 返回需要的信息
char* match = "INFO NEED RETURN";
jstring jmatch = env->NewStringUTF(match);
return jmatch;
}
return NULL;
//return hex_sha;
}
这里是直接返回一些信息的操作,如果是类似接口校验等场景,可以直接将加密操作放在native层,java层只负责获取结果,再加上包名和签名信息的验证,可以大大提高我们数据的安全性
