安全地存储客户端机密 [英] Store client secret securely
问题描述
我知道 公共客户端不应该使用客户端机密 因为,无论你如何混淆它,它都不会受到逆向工程.
I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.
但是,负责我进行身份验证的服务的人不想/无法更改它.因此,我需要存储客户端机密并尽可能保护它免受逆向工程的影响.
But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.
因此,我想在构建时使用 gradle 对其进行加密并将其存储在文件中.然后,当我在运行时需要它时,我会解密它.但是现在我要解决如何存储加密密钥...
So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...
我对安全不太了解,所以,我不知道这是否可以解决,或者 Android(最低 sdk 15)是否为此类场景提供了任何机制.
I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.
有什么想法吗?
推荐答案
这篇文章建议了这些选项,从更安全到更安全:
This article suggests these options, from less to more secure:
以明文形式存储
Store in cleartext
使用对称密钥加密存储
使用 Android 密钥库
Using the Android Keystore
使用非对称密钥加密存储
Store encrypted using asymmetric keys
可能,结合使用 #4 和某种方式来明确识别设备将足够安全
Probably, using a combination of #4 and some way to univocally identify the device would be secure enough
这篇关于安全地存储客户端机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
