I have programmed an open source app in which I added donations via In App Billing. Google says to "hide" the public key (see here).
我编写了一个开源应用程序,其中我通过In App Billing添加了捐款。谷歌称“隐藏”公钥(见这里)。
As the app itself is open source, everyone can compile it and change the key. Currently I created a new project with a static class that returns the key. This class I use to get the key so I don't have the plain public key in my git repo. But is this really necessary?
由于应用程序本身是开源的,每个人都可以编译它并更改密钥。目前,我创建了一个带有返回密钥的静态类的新项目。我用这个类获取密钥,所以我的git repo中没有普通的公钥。但这真的有必要吗?
What is the worst thing that could happen if somebody has my public key?
如果有人拥有我的公钥,可能会发生什么最糟糕的事情?
Thanks, Asfaloth
谢谢,Asfaloth
1 个解决方案
#1
0
I thought about this "issue" and try to answer it myself. Hopefully, it is useful for anyone.
我想到了这个“问题”,并试着自己回答。希望它对任何人都有用。
Note: If you plan to sell things and activate features with an in app purchase, you should obfuscate your key! My answer is intended for open source apps only!
注意:如果您计划通过应用程序内购买东西并激活功能,则应该对密钥进行模糊处理!我的答案仅适用于开源应用程序!
Since I don't activate additional features with the in app purchase, a hacker would have no use in replacing the key. He cannot obtain any additional features. Even if it would enable something, since the app is open source, everyone can remove the condition which checks for a purchase.
由于我没有通过应用内购买激活其他功能,因此黑客无法更换密钥。他无法获得任何其他功能。即使它能够启用某些东西,由于该应用程序是开源的,所以每个人都可以删除检查购买的条件。
In the other way, if someone would use the key in his app, I'm not sure what would happen if he uploads the app to the dev console. I think in app purchases will fail, because a new public key is generated for each uploaded app.
另一方面,如果有人在他的应用程序中使用密钥,我不确定如果他将应用程序上传到开发控制台会发生什么。我认为在应用内购买会失败,因为每个上传的应用都会生成一个新的公钥。
I'd say you are good to go to include the public key in your public repository. I'll include it too.
我想你可以在公共存储库中包含公钥。我也会把它包括在内。
#1
0
I thought about this "issue" and try to answer it myself. Hopefully, it is useful for anyone.
我想到了这个“问题”,并试着自己回答。希望它对任何人都有用。
Note: If you plan to sell things and activate features with an in app purchase, you should obfuscate your key! My answer is intended for open source apps only!
注意:如果您计划通过应用程序内购买东西并激活功能,则应该对密钥进行模糊处理!我的答案仅适用于开源应用程序!
Since I don't activate additional features with the in app purchase, a hacker would have no use in replacing the key. He cannot obtain any additional features. Even if it would enable something, since the app is open source, everyone can remove the condition which checks for a purchase.
由于我没有通过应用内购买激活其他功能,因此黑客无法更换密钥。他无法获得任何其他功能。即使它能够启用某些东西,由于该应用程序是开源的,所以每个人都可以删除检查购买的条件。
In the other way, if someone would use the key in his app, I'm not sure what would happen if he uploads the app to the dev console. I think in app purchases will fail, because a new public key is generated for each uploaded app.
另一方面,如果有人在他的应用程序中使用密钥,我不确定如果他将应用程序上传到开发控制台会发生什么。我认为在应用内购买会失败,因为每个上传的应用都会生成一个新的公钥。
I'd say you are good to go to include the public key in your public repository. I'll include it too.
我想你可以在公共存储库中包含公钥。我也会把它包括在内。