如何在iOS应用程序中存储关键敏感信息，例如机密，密钥，令牌，加密密钥 [英] How to store critically sensitive information such as secret, key, token, encryptionKey in iOS application

问题描述

当我们谈论保护iOS应用程序的安全时，我们常常忘记保护最关键的敏感信息，例如机密，密钥，令牌，encryptionKey.此信息存储在iOS二进制文件中.因此，您的服务器端安全协议都无法帮助您.

When we talk about securing iOS application we often forget to secure most critically sensitive information such as secret, key, token, encryptionKey. This information is stored in iOS binary. So none of your server side security protocol will help you.

有很多建议，我们不应将此类信息存储在应用程序中，而应存储在服务器中并通过SSL安全的Web服务调用获取.但这并非对所有应用程序都可行.例如.如果我的应用程序根本不需要Web服务.

There are lots of suggestion that we should not store such information in the app but store in the server and get it via SSL secured web service call. But this is not possible for all application. E.g. if my application does not need web service at all.

在iOS应用中，我们具有以下用于存储信息的选项.

In iOS app we have following option to store information.

1. UserDefault :不适用于这种情况
2. 字符串:常量:不适用于这种情况.可以反向 工程师检索或仅使用 字符串命令
3. 安全数据库:存储在安全且加密的数据库中. 但是同样有责任保护数据库用户名和密码.
4. KeyChain :最好存储关键信息.但是我们无法在安装应用程序之前保存信息.要存储在钥匙串中，我们首先需要打开应用程序，从某些源中读取内容并存储在钥匙串中.也不适合我们的情况.
5. 自定义哈希字符串常量:不要直接使用服务提供商(mixpanel，paypal)的秘密，令牌，密钥，而应使用来自自定义密钥的该信息的哈希版本.这也不是完美的解决方案.但是会增加黑客攻击的复杂性.

1. UserDefault: Not appropriate for this case
2. String Constant: Not appropriate for this case. Can be reverse engineer to retrieve or just use strings command
3. Secure Database: Store in Secure and encrypted Database. But again have responsibility to secure database username and password.
4. KeyChain: Best to store critical info. But we cannot save information before installing the app. To store in the keychain, we first need to open the app, read from some source and store in the keychain. Not appropriate for our case either.
5. Custom Hash String Constant: Not to directly use secret, token, key from service provider (mixpanel, paypal), instead use hash version of that information from custom key. This is also not perfect solution. But add complexity during hacking.

请为这个问题发送一些令人毛骨悚然的解决方案.

Kindly send some awsome solution to this problem.

推荐答案

如果您不想使用自己的后端，请使用Apple.您可以配置随需应变资源，并使用密钥，令牌以及Apple服务器上的任何机密信息保存数据文件.首次下载后，您可以将该数据写入足够安全的Keychain.我猜想iOS和Apple服务器之间的联网也足够安全.

If you don't want to use your own backend then use Apple. You can configure On Demand Resources and keep data file with your key, token, any secret on Apple server. After first download you can write this data to Keychain which is secure enough. I'm guessing networking between iOS and Apple server is also secure enough.

按需资源基础

访问和下载点播资源

这篇关于如何在iOS应用程序中存储关键敏感信息，例如机密，密钥，令牌，加密密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！