发表新帖
发表新帖

How to secure webservice URL?

前端 未结
关注
4 2024
借酒劲吻你
借酒劲吻你 2021-01-07 14:41

I have an android app with web service urls. If anyone decrypts my apk file, the webservice url will become visible.I am using HTTP POST for calling web service.

An

4条回答
  • 一整个雨季
    一整个雨季 (楼主)
    2021-01-07 15:12

    I have fixed this in two ways

    1. Encrypted the URL in my code with my private key and on request call i decrypted it again,

      public static String encryptIt(String value) {
try {
    DESKeySpec keySpec = new DESKeySpec(new byte[]{105, 107, 18, 51, 114, 83, 51, 120, 121}); 
    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
    SecretKey key = keyFactory.generateSecret(keySpec);

    byte[] clearText = value.getBytes("UTF8");
    // Cipher is not thread safe
    Cipher cipher = Cipher.getInstance("DES");
    cipher.init(Cipher.ENCRYPT_MODE, key);

    //   Log.d("aa", "Encrypted: " + value + " -> " + encrypedValue);
    return Base64.encodeToString(cipher.doFinal(clearText), Base64.DEFAULT);
} catch (Exception e) {
    e.printStackTrace();
}
return value;

      }

    and decript it by using this 

      public static String decryptIt(String value) {
    try {
        DESKeySpec keySpec = new DESKeySpec(new byte[]{105, 107, 18, 51, 114, 83, 51, 120, 121});//cryptoPass.getBytes("UTF8"));
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
        SecretKey key = keyFactory.generateSecret(keySpec);

        byte[] encrypedPwdBytes = Base64.decode(value, Base64.DEFAULT);
        // cipher is not thread safe
        Cipher cipher = Cipher.getInstance("DES");
        cipher.init(Cipher.DECRYPT_MODE, key);
        byte[] decrypedValueBytes = (cipher.doFinal(encrypedPwdBytes));

        // Log.d("aa", "Decrypted: " + value + " -> " + decrypedValue);
        return new String(decrypedValueBytes);
    } catch (Exception e) {
        e.printStackTrace();
    }
    return value;
}

    note in my case that the private key is new byte[]{105, 107, 18, 51, 114, 83, 51, 120, 121} i think it was $ecrEt or something like i forget it.

    so if they decompile the APK they wan't be able to find the service link inside you code.

    so the base url will be like this public static final String ROOT_API = "aHR0cHSC86LSy9tbS2JpuZW50aWtoYWAbGUJhdC5qbw==";

    2- Also you have to add progaurd to your code

    BUT, they can smurfing the netweok and find the url if the hacker is advance person, in this case you have to user SSl certificate "https" and make the webserivce POST.

    hope you got my point.

    0 讨论(0)
 看不清?
提交回复
热议问题