在 iOS 中，如何存储秘密“密钥"?这将允许我与我的服务器通信? [英] In iOS, how can I store a secret "key" that will allow me to communicate with my server?

问题描述

我想存储一个我将在 REST API 请求的标头中使用的密钥(abc123").我的服务器将检查此密钥.如果它匹配abc123"，则允许发出请求.

I want to store a secret key ("abc123") that I will use in the header of my REST API requests. My server will check this secret key. If it matches "abc123", then allow the request to be made.

我正在考虑一个简单的解决方案，例如:

I'm thinking about a simple solution like:

let secret = "abc123" 

但这会不会有任何垮台?

But are there going to be any downfalls to this?

推荐答案

听起来很疯狂，但这可能是最好的解决方案.其他一切都更复杂，但并没有更安全.您使用的任何花哨的混淆技术都将几乎与他们找到此密钥一样快地进行逆向工程.但是这种静态密钥解决方案虽然非常不安全，但几乎与其他解决方案一样安全，而且几乎没有额外的复杂性.我喜欢它.

Crazy as it sounds, this is probably the best solution. Everything else is more complicated, but not much more secure. Any fancy obfuscation techniques you use are just going to be reverse engineered almost as quickly as they'll find this key. But this static key solution, while wildly insecure, is nearly as secure than the other solutions while imposing nearly no extra complexity. I love it.

它几乎会立即被破坏，但所有其他解决方案也会被破坏.所以保持简单.

It will be broken almost immediately, but so will all the other solutions. So keep it simple.

您真正想做的一件事是使用 HTTPS 和固定您的证书.我会选择一个长而随机的钥匙，它不是一个词.理想情况下，它应该是一个完全随机的字节串，存储为原始值(不是字符)，这样它就不会在您的二进制文件中如此明显地突出.如果您想发疯，请在发送之前对其应用 SHA256(因此实际密钥永远不会出现在您的二进制文件中).同样，这很容易打破，但很容易，并且不会浪费大量时间开发.

The one thing that you really want to do here is use HTTPS and pin your certificates. And I'd pick a long, random key that isn't a word. Ideally, it should be a completely random string of bytes, stored as raw values (not characters) so that it doesn't stand out so obviously in your binary. If you want to get crazy, apply a SHA256 to it before sending it (so the actual key never shows up in your binary). Again, this is trivial to break, but it's easy, and won't waste a lot of time developing.

花费超过一个小时的努力来实现此功能不太可能值得.如果您想了解更多有关该主题的信息，请参阅 iPhone 应用程序的安全 https 加密到网页及其链接.

It is unlikely that any effort longer than an hour will be worth the trouble to implement this feature. If you want lots more on the topic, see Secure https encryption for iPhone app to webpage and its links.

这篇关于在 iOS 中，如何存储秘密“密钥"?这将允许我与我的服务器通信?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！