更新时间:2022-04-28 22:22:49
总是存在风险.即使您自己不引入漏洞,该平台也可能允许漏洞利用,最终可能为恶意攻击者提供切入点.
There's always a risk involved. Even if you don't introduce vulnerabilities yourself, the platform may allow for exploits which in the end may offer an entry point for a malicious attacker.
关于您的问题:假设硬编码的 URL 无法从您的产品中剥离出来,即使经过难以置信的混淆,也不是安全的.始终设计您的应用,以确保用户数据的安全(尽可能),即使内置资源受到损害.如果仅了解该 URL 就构成安全威胁,那么您的整个方法和您的客户端 API 本质上是不安全的.请记住,此类信息也可能被中间人攻击(和其他攻击模式)捕获.
As to your question: It is not safe to assume that a hardcoded URL, even if obfuscated beyond belief, can't be peeled out of your product. Always design your apps such that safety of user data is guaranteed (as far as possible) even if built in ressources get compromised. If the knowledge of that URL alone poses a security threat, then your whole approach and your clients API is inherently insecure. Remember that such information could possibly be captured by a man-in-the-middle attack (and other modes of attack) as well.
通过默默无闻来避免安全.如有必要,仅将敏感数据存储在磁盘上.通常不允许 PIN/TAN 存储.
Avoid security by obscurity. Store sensitive data only on disk if it is necessary. As a rule don't allow PIN / TAN storage.
一些想法可能(也可能不会)让您的客户相信您的应用尽可能安全:
Some thoughts which may (or may not) convince your client that your app is as safe as it can be: