发表新帖
发表新帖

In app billing security

前端 未结
关注
1 2029
一生所求
一生所求 2020-12-31 10:40

I\'ve finished developing my app that uses in app billing v3. My app is an exam help app which has a list of questions which are inserted into a database. The thing that wor

相关标签:
1条回答
  • 滥情空心
    2020-12-31 11:46

    Good question.

    Public key must be available on device in order to be used. Once it comes on device it's not really protected anymore. The key itself is not a secret, but we need to make its possible replacement to be a more difficult task.

    What you can do is to use so called XOR encryption. Here is an example if XOR encrypter and decrypter methods.

    public static String xorEncrypt(String input, String key) {
    byte[] inputBytes = input.getBytes();
    int inputSize = inputBytes.length;

    byte[] keyBytes = key.getBytes();
    int keySize = keyBytes.length - 1;

    byte[] outBytes = new byte[inputSize];
    for (int i=0; i<inputSize; i++) {
        outBytes[i] = (byte) (inputBytes[i] ^ keyBytes[i % keySize]);
    }

    return new String(Base64.encode(outBytes, Base64.DEFAULT));
}

public static String xorDecrypt(String input, String key) {
    byte[] inputBytes = Base64.decode(input, Base64.DEFAULT);
    int inputSize = inputBytes.length;

    byte[] keyBytes = key.getBytes();
    int keySize = keyBytes.length - 1;

    byte[] outBytes = new byte[inputSize];
    for (int i=0; i<inputSize; i++) {
        outBytes[i] = (byte) (inputBytes[i] ^ keyBytes[i % keySize]);
    }

    return new String(outBytes);
}

    How what you need is to choose a password string (String key) and encrypt your public key (String input) using it. This encrypted key you can store in a class. When you need your real key value, you call xorDecrypt() with the password and public (encrypted) key string. Password is a string you store somewhere in your code too. As I said we do not really protect it, but we make it more difficult to find and/or replace.

    You can add more sophisticated logic on how to combine encrypted public key and password too. This just add more complexity but won't give you any warranty your key wont be decrypted. In any case Google confirms XOR encryption is better than nothing.

    Android 4.3 added some more security features which can be used for storing public keys too. This solution will require a server communication and hardware support to be really safe. These are Key Chain enhancements and Android Keystore Provider.

    0 讨论(0)
 看不清?
提交回复
热议问题