如何在本机客户端安全地存储密钥? [英] How to securely store secret keys on react-native client side?

问题描述

假设我正在构建一个带有 firebase 的 react-native 应用程序，它假定应用程序中有密钥.有人可能会偷钥匙吗?如果是这样，那么我该如何保护它?

Let's say i'm building a react-native app with firebase, which assumes having secret key in app. Is it possible for someone to steal the key? If so, then how do i protect it?

推荐答案

没有 100% 安全的方法可以在设备上存储任何机密，因为您无法控制对源的访问.保证您的密钥安全的唯一方法就是从一开始就永远不要将它们放在设备上.

There's no 100% secure way to store anything secret on the device because you have no control over access to the source. The only way to guarantee security of your keys is to never have them on the device in the first place.

您找到的任何解决方案都会有缺陷，Michael Ramirez 撰写的这篇文章

Any solution you find will have a flaw, illustrated quite nicely by this article by Michael Ramirez

您需要在您真正需要这些密钥的安全性之间取得平衡.

You need to strike a balance of how secure you really need those keys to be.

例如，在 Android 上，我们将一些我们对 Google 和其他 API 不太关心的密钥存储在 res/values/secrets.xml 字符串文件中，该文件不致力于版本控制.对某人来说，strings out_app.api 很容易，但我们已经决定不再关心这些密钥的安全.

For example on Android we store some of our keys we care less about for Google and other APIs in a res/values/secrets.xml string file, which is not committed to version control. It's easy for someone to strings out_app.api, but we've already decided to care less about securing those keys.

<resources>
    <string name="google_api_key">OurApiKey</string>
</resources>

如果您在 Android 上使用 ReactNative根据您要存储的密钥类型，您可以使用 Android Keystore System 使用 Keystore API但是我认为这不适用于存储 Firebase 密钥.

If you're working with ReactNative on Android & depending on the types of key you want to store, you could make use of the Android Keystore System using the Keystore API however I don't think this will work for storing Firebase keys.

这篇关于如何在本机客户端安全地存储密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！