Android Security-Data security 1-string security in code
In the development of Android applications, it is unavoidable to use some sensitive information, such as the address of the server, for
These strings, if hard-coded, are easily accessible through static analysis and can even be used with automated analysis tools
Batch extraction. For example, if you define a string in the Java source code as follows:
Code:
1. String str = "I am a string!";
The corresponding code in the decompile. Smali code is as follows (the registers may differ):
Code:
1. Const-string V0, "I am a string!"
For automated analysis tools, you can extract a string value only by scanning to the Const-string keyword. therefore should
To avoid defining string constants in the source code, it is easier to use the StringBuilder class through append
method to construct the required string, or to use an array to store the string. Using StringBuilder to construct characters
The following code is used in this way to increase the difficulty of automated analysis, if you want to fully extract a
String, if only using static analysis method must be the corresponding lexical syntax parsing.
In addition, strings can be encrypted, for example, some important functions of the code will be the server address and other important information encryption processing, run-time and then decrypt.
Android Security-Data security 1-string security in code