It’s 2023, does anyone still use uniapp?
Regarding this issue, I can only say that in 2023, more and more people are using uniapp to develop apps.
On the one hand, full-platform compatibility is really great . For some small projects or projects with relatively high time requirements, it can save a lot of time and energy, and also save costs for the company; on the other hand, the development speed is very fast . As mentioned before, for some small projects, it can be completed in a few days, but for some large projects, the performance is not much different from the native one, and the features of full platform compatibility can also make up for this; finally, there is the community, There are many high-quality frameworks and plug-ins in it, which saves a lot of time (time is the amount of work!!!), and more importantly, the community produces talents, and you can always find wise officials who will make complaints (bushi) with you...
All in all, although uniapp's documentation is generally good, there are generally many bugs, and updates are like defusing bombs, it is still very meaningful to many people. So there are still many people using it.
However, with the current strict review of various mall listing policies, the demand for reinforcement has gradually increased, so today we will talk about how to reinforce the Android APP developed by uniapp.
Reinforcement principle
Let’s first take a look at the directions from which reinforcement will generally be carried out.
And if we reinforce the Android APP produced by uniapp, it is actually similar - as long as it is in apk or aab format , so we will perform reinforcement based on this principle.
Hardening process
01 Code obfuscation
According to the general idea, confuse him for a while. Use code obfuscation tools to obfuscate JavaScript code to make it difficult to reverse engineer and crack. Commonly used obfuscation tools include ProGuard and DexGuard. In UniApp, you can configure ProGuard to perform code obfuscation when packaging Android applications. The sample code is as follows, add the following configuration to the file in the project root directory uniapp.pro:
-keep class com.dcloud.** { *; }
-keep public class * extends io.dcloud.* {
*;
}
02 Reinforce resource files & prevent debugging and anti-debugging
Harden resource files: Encrypt or obfuscate sensitive resource files (such as certificates, configuration files, etc.) to prevent them from being obtained by attackers. You can use third-party tools to encrypt resource files, or customize encryption algorithms to protect the security of resource files.
Prevent debugging and anti-debugging: This step can use third-party libraries or custom code to implement these protections. For example, you can detect whether an application is running in debug mode and take appropriate actions when in debug mode, such as closing the application or hiding sensitive information.
import android.os.Debug;
public class DebugUtils {
public static boolean isDebugMode() {
return Debug.isDebuggerConnected();
}
}
That is to say, when calling the method in the application DebugUtils.isDebugMode(), you can judge whether the application is running in debug mode based on the return value, and take corresponding measures.
03 Encrypt sensitive data
We directly use the PBEWithMD5AndDES algorithm to encrypt and decrypt data. When used, you can call EncryptionUtils.encrypt(data)the method to encrypt sensitive data and EncryptionUtils.decrypt(encryptedData)the method to decrypt the data. Remember to replace PASSWORDand SALTwith your own password and salt (IMPORTANT!!!).
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.security.spec.KeySpec;
import java.util.Base64;
public class EncryptionUtils {
private static final String ALGORITHM = "PBEWithMD5AndDES";
private static final String PASSWORD = "your_secret_password"; // 自定义密码,请更换为自己的密码
private static final byte[] SALT = {
(byte) 0x4b, (byte) 0x6d, (byte) 0x7d, (byte) 0x15,
(byte) 0x78, (byte) 0x56, (byte) 0x34, (byte) 0x22
}; // 自定义盐值,请更换为自己的盐值
public static String encrypt(String data) {
try {
KeySpec keySpec = new PBEKeySpec(PASSWORD.toCharArray(), SALT, 65536);
SecretKey secretKey = SecretKeyFactory.getInstance(ALGORITHM).generateSecret(keySpec);
Cipher cipher = Cipher.getInstance(ALGORITHM);
PBEParameterSpec parameterSpec = new PBEParameterSpec(SALT, 100);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameterSpec);
byte[] encryptedBytes = cipher.doFinal(data.getBytes("UTF-8"));
return Base64.getEncoder().encodeToString(encryptedBytes);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public static String decrypt(String encryptedData) {
try {
KeySpec keySpec = new PBEKeySpec(PASSWORD.toCharArray(), SALT, 65536);
SecretKey secretKey = SecretKeyFactory.getInstance(ALGORITHM).generateSecret(keySpec);
Cipher cipher = Cipher.getInstance(ALGORITHM);
PBEParameterSpec parameterSpec = new PBEParameterSpec(SALT, 100);
cipher.init(Cipher.DECRYPT_MODE, secretKey, parameterSpec);
byte[] decodedBytes = Base64.getDecoder().decode(encryptedData);
byte[] decryptedBytes = cipher.doFinal(decodedBytes);
return new String(decryptedBytes, "UTF-8");
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
04 Prevent tampering
We use the SHA-256 hashing algorithm to calculate the hash value of the data. When used, you can call IntegrityUtils.calculateHash(data)the method to calculate the hash value of the data and compare it with the original hash value to verify the integrity of the data. For example:
String data = "Hello, world!";
String originalHash = "2ef7bde608ce5404e97d5f042f95f89f1c232871";
String calculatedHash = IntegrityUtils.calculateHash(data);
boolean isIntegrityVerified = IntegrityUtils.verifyIntegrity(data, originalHash);
if (isIntegrityVerified) {
System.out.println("Data integrity verified.");
} else {
System.out.println("Data has been tampered with!");
}
05 Signature function
Add an Android signature.
1 Introduction
This tool is used to re-sign the android hardened apk.
| Version | document | Remark |
|---|---|---|
| Windows version | apk signature tool compressed package.exe | This version includes the Java runtime environment and requires no additional installation. |
| General version | dx-signer-v1.9r.jar | This version requires Java 8+ running environment, please install it according to the operating system: Adoptium . |
This tool is Apache 2.0open source in accordance with the protocol. You can view the source code here https://github.com/dingxiangtech/dx-signer .
Instructions for use
- Download the signature tool dx-signer.jar and double-click to run it.
- Choose to enter apk or aab files.
- Select the signed key file and enter the key password.
- Select the path of apk and aab after re-signing, ending with apk. For example: D:\sign.apk
- Click the "Sign" button and wait for the signature to be completed.
ps: If you have an alias (certificate alias) key or multiple certificates, please select alias in the advanced tab and enter the alias password
2) Introduction to multi-channel functions
The multi-channel tool is compatible with Umeng and Meituan walle-style multi-channel packages, making it convenient for customers to publish APPs to different application platforms and conduct channel statistics.
Instructions for use
- Reserve an entrance for reading channel information in the app. For details, see 5.2.2 Reading channel information.
- Based on the signature usage in 5.1.1, click to select the channel list
- Select the manifest file channel.txt. See 5.2.3 for specific file format.
- Click Sign and wait for multiple signed channel apps to be generated
Read channel information
Dingxiang multi-channel tool is compatible with Umeng and Meituan walle style multi-channel packages. The following are two different styles of channel information reading methods. Just choose one of them
Read channel information: UMENG_CHANNEL
The output Apk will UMENG_CHANNELcontainmata-data
<application ... >
<meta-data
android:name="UMENG_CHANNEL"
android:value="XXX" />
</application>
This field can be read.
public static String getChannel(Context ctx) {
String channel = "";
try {
ApplicationInfo appInfo = ctx.getPackageManager().getApplicationInfo(ctx.getPackageName(),
PackageManager.GET_META_DATA);
channel = appInfo.metaData.getString("UMENG_CHANNEL");
} catch (PackageManager.NameNotFoundException ignore) {
}
return channel;
}
Read channel information: Walle
The output Apk also contains Walle-style channel information
It can be read using Walle .
implementation 'com.meituan.android.walle:library:1.1.7'
String channel = WalleChannelReader.getChannel(this.getApplicationContext());
Channel file format description
Please prepare a channel list file channel.txtwith one channel per line, for example:
0001_my
0003_baidu
0004_huawei
0005_oppo
0006_vivo
Conclusion
The above is the reinforcement method of Android APP produced based on uniapp, for reference only~ Welcome to communicate and learn together~
Free reinforcement >>> uniapp Android APP reinforcement