我在我的Andr​​oid应用程序使用Parse.com。我对泄露密钥非常关注的问题。如果密钥被发现，一个人可以自由访问Parse.com我们的资源。

该密钥保存在一个Java类，它扩展应用程序类。

我真的很想知道如何隐藏按键。什么是时下最好的做法。简单，低成本的解决方案是AP preciated ..

感谢。

我真的很想知道如何隐藏键...

通常你尝试将感光材料攻击者的控制范围之内。通常，这意味着移动尽可能多的敏感code和数据服务器（和出客户）。

如果可能的话，在服务器上运行的Parse.com code，以便客户端不需要API密钥开始。有什么风险的按键会被泄露，因为他们不会对提供给客户端上的攻击者。

如果您验证用户，然后让你的服务器上的API密钥。提供给应用程序，一旦用户进行认证。还是有风险的主要会被泄露，但它不会很难codeD到应用程序和分析工具一样的 APKTool 。

有其他可以采取的步骤了。 Proguard的和API密钥加密浮现在脑海中。在Android 4.0及以上，你也应该把它们存储在钥匙扣。它会阻止攻击者无心，并减慢动机之一。其中大部分都覆盖在最佳实践，用于存储私有API密钥Android中。

您还可以加密二进制分发，但我明白，这是更从谷歌的DRM控制播放（和更小的应用程序/数据安全控制）。见，例如，关于谷歌问题，播放应用程序资产的加密。

I'm using Parse.com in my Android App. I'm very concern about revealing secret keys. If the keys are revealed, someone can access our resources on Parse.com freely.

The keys are saved in a Java Class which extended Application Class.

I really want to know how to hide the keys. What is the best practice nowadays. Easy and low cost solution is appreciated..

Thanks.

I really want to know how to hide the keys...

Generally you try to move sensitive material outside an attackers control. Usually that means moving as much sensitive code and data to a server (and out of a client).

If possible, run the Parse.com code on the server so that the client does not need the API keys to begin with. There's little risk the keys will be leaked because they won't be on available to an attacker on the client.

If you authenticate the user, then keep the API key on your server. Provide it to the application once the user authenticates. There's still risk the key will be leaked, but it won't be hard coded into the app and easily found with an analysis tool like APKTool.

There are other steps you can take too. Proguard and encryption of the API keys come to mind. On Android 4.0 and above, you should also store them in the Keychain. It will stop the unmotivated attacker, and slow down a motivated one. Most of these are covered at Best Practice for storing private API keys in Android.

You can also encrypt the binary for distribution, but I understand this is more a DRM control from Google Play (and less a application/data security control). See, for example, Questions about Google Play application assets encryption.