InApp 计费安全和远程方法调用
我已经在应用程序中实现了应用程序计费,现在我想进一步确保它的安全。 阅读开发者材料,其中指出:
除了运行混淆程序之外,我们建议您使用以下技术来混淆应用内结算代码。
将方法内联到其他方法中。
动态构造字符串,而不是将它们定义为常量。
使用Java反射来调用方法。
http://developer.android.com/guide/market/billing/billing_best_practices.html
混淆 - 好吧,我可以做到这一点= proguard
将方法内联到其他方法中 - 这就是说,一旦我的代码完成,就尽可能摆脱大量的面向对象并用一种方法将所有代码放入尽可能多的行(用于我的应用程序的计费部分)?这包括内联类吗?在android示例中,他们有一个常量类,我会内联所有这些吗?
动态构造字符串 - 是的,因此将所有类常量变量移动到行中 - 精细的 proguard 应该涵盖这个
使用 Java 反射 - 这是我的主要问题。我应该调用所有我的方法而不是调用它们吗?
为了节省自己的精力,我可以这样做:
private static Object invokeMethod(String name, Class<?>[] params, Object[] args){
try {
return MySpecificClass.class.getMethod(name, params).invoke(null, args);
} catch (IllegalArgumentException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (SecurityException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (IllegalAccessException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (InvocationTargetException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (NoSuchMethodException e) {
// Should never happen in my code, ignore and cancel in app charge
}
return null;
}
然后我可以做这样的事情:
private static boolean someMethod() {
return true; // just an example
}
params = new Class<?>[0];
if ((Boolean) invokeMethod("someMethod", params, null)) {
// Do something
}
这是良好的安全性,还是只是代码膨胀并使我的应用程序无法针对真正的用户问题进行调试?
谢谢。
I've implemented in app billing in an app, and now I want to secure it a little more.
Reading the developer material it states:
In addition to running an obfuscation program, we recommend that you use the following techniques to obfuscate your in-app billing code.
Inline methods into other methods.
Construct strings on the fly instead of defining them as constants.
Use Java reflection to call methods.
http://developer.android.com/guide/market/billing/billing_best_practices.html
Obfuscation - fine I can do that = proguard
Inline methods into other methods - is this saying once my code is complete, get rid of much OO as I can and put all my code in as many lines as I can (for the billing part of my app) in one method? Does this include inlining classes? In the android example they have a constants class, would I inline all these?
Construct strings on the fly - yes so move all class constant variables in line - fine proguard should cover this
Use Java Reflection - this is my main question. Should I invoke all my methods instead of calling them?
To save myself some effort could I do this:
private static Object invokeMethod(String name, Class<?>[] params, Object[] args){
try {
return MySpecificClass.class.getMethod(name, params).invoke(null, args);
} catch (IllegalArgumentException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (SecurityException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (IllegalAccessException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (InvocationTargetException e) {
// Should never happen in my code, ignore and cancel in app charge
} catch (NoSuchMethodException e) {
// Should never happen in my code, ignore and cancel in app charge
}
return null;
}
I could then do things like this:
private static boolean someMethod() {
return true; // just an example
}
params = new Class<?>[0];
if ((Boolean) invokeMethod("someMethod", params, null)) {
// Do something
}
Is this good security, or is it just code bloat and making my app undebuggable for genuine user issues?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当盗版威胁明显增加时,您似乎可以考虑这一点。如果反射有可能损害用户体验,我就无法证明使用反射只是为了额外的一层混淆是合理的。
This seems like something you could look into when there is a higher demonstrated threat of piracy. I wouldn't be able to justify using reflection just for an extra layer of obfuscation if it had a chance of compromising the user experience.