我使用Dropbox的API。在示例应用程序，它包括以下几行：

I'm using the Dropbox API. In the sample app, it includes these lines:

// Replace this with your consumer key and secret assigned by Dropbox.
// Note that this is a really insecure way to do this, and you shouldn't
// ship code which contains your key & secret in such an obvious way.
// Obfuscation is good.
final static private String CONSUMER_KEY = "PUT_YOUR_CONSUMER_KEY_HERE";
final static private String CONSUMER_SECRET = "PUT_YOUR_CONSUMER_SECRET_HERE";

我很清楚的口头禅保密是不是安全，和模糊处理真的只是稍微增加的努力来提取密钥所需的时间。我不同意他们的说法Obfustication是好的。我应该怎么做，以保护密钥呢？是obfustication良好的足够的，或者我应该考虑的更精致？

I'm well aware of the mantra 'Secrecy is not Security', and obfuscation really only slightly increases the amount of effort required to extract the keys. I disagree with their statement 'Obfustication is good'. What should I do to protect the keys then? Is obfustication good enough, or should I consider something more elaborate?

推荐答案

您不能帮助它。如果用户（攻击）具有被保护的数据和code表示确实的解除保护，用户可以最终得到对数据的访问。就这么简单。调试器和断点在适当的时间是他们所需要的。也就是说，和大量的空闲时间和决心。

You can't help it. If the user (attacker) has the protected data and the code that does the unprotection, the user can eventually get access to the data. It's as simple as that. A debugger and a breakpoint at just the right time is all they need. That, and lots of free time and determination.

不管是不是秘密是你的目的不够好，达到您的业务细节。但一般在移动世界，如果客户是担心他们的数据被窃取，他们实现高层次的被盗和丢失控制。比如像远程擦除，强制锁屏，等我不认为它是由应用程序编程复制所有的东西。

Whether or not secrecy is good enough for your purposes is up to your business specifics. But generally in the mobile world, if the customer is that worried about their data being stolen, they implement high-level theft and loss controls. Things like remote wipe, mandatory screen lock, etc. I don't think it's up to the application programmer to duplicate all that stuff.