手机应用中的本地存储保护 [英] Local storage protection in phonegap application

查看:134
本文介绍了手机应用中的本地存储保护的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我应该开发一个 phonegap 应用程序。我需要向服务器端加密我的请求,然后解密
HTTPS 不是解决方案,因为我需要签署请求以确保数据不是假的。我可以使用任何异步加密(应用程序将生成 private / public 键,并将公钥发送到服务器)。但是这样我就需要把私钥保存在设备上。



问题是:如何安全地在设备上保留私钥?



我可以使用 sqlclipher (加密我的本地 SQLite DB )和将其整合到我的 phonegap应用程序即可。很好,但是我必须保留数据库的秘密密钥:)

  var db = window.sqlitePlugin.openDatabase({name: DB,键:secret1});

任何有权访问手机的人都可以获得这个秘密密钥。所以这里我有同样的问题:)



请给我任何建议。



谢谢! p>

ps适用于iOS和Android的应用程序

解决方案

您必须区分加密和身份验证。



首先,我建议使用https加密您的邮件并安全地传输。



其次,我建议使用HMAC验证您的邮件。它基本上是这样的:




  • 在编译时生成您的应用程序和服务器已知的秘密字符串。您将这个秘密直接存储在您的应用程序的源代码中,所以它永远不会传输到或从服务器发送。这可能是您的私人/公共密钥方法的主要区别:您将秘密权限编译到您的应用程序中,而不是稍后在某些用户可访问的存储中进行编写。 在你的应用程序中意味着在Phonegap的情况下,不在您的HTML / JS文件中,而是在本机源代码中!您必须将访问者桥接到javascript。


  • 在用户启动您的应用程序时,设置用户标识(= key; long,random!应用程序第一次。如果您想对用户进行身份验证,您可能有某种登录/密码机制。 (存储用户ID以及从用户标识生成的HMAC以及设备上的共享密钥),每次读取用户标识时,都要根据哈希进行检查,以确保用户标识没有被欺骗。 p>




在您的应用中


  1. 在每条消息中包含一个用户标识。

  2. 在每条消息中都包含一个时间戳。

  3. 字符串从消息,服务器地址,请求URI和共享密钥组合起来。

  4. 在请求标头中包含哈希值。



      5. 在服务器端


      1. 检查时间戳是有效的,例如G。不超过2分钟左右。

      2. 如果用户ID有效,请检查数据库。

      3. 计算HMAC哈希值从消息,服务器地址,请求URI和共享密钥放在一起的字符串。包括请求URI阻止人们将相同的有效请求发送到服务器上的另一个URI;即G。在REST环境中,如果将相同的DELETE请求发送到 / comment / 1 / user / 1

      4. 将它与标题中提交的哈希值进行比较,它们必须相等。

      5. 如果任何检查失败,发送错误。否则发送回复。

      有机会得到共享秘密和有关如何通过反编译计算HMAC散列的方式的信息你的源代码。我没有办法避免这种风险。没有潜入本土发展深度:



      iOS钥匙扣



      https://developer.apple.com/library/ios/documentation/Security/Conceptual /keychainServConcepts/iPhoneTasks/iPhoneTasks.html



      Android安全功能



      http://developer.android.com/training/articles/security-tips.html


      I should develop an phonegap application. I need to encrypt my requests to the server side and then decrypt. HTTPS is not a solution, because I need to sign requests to be sure that the data is not fake. I can use any async cryptography (the app will generate private/public keys and will send public key to the server). But this way I need to keep my private key on the device.

      The question is: how I can keep private key on the device securely?

      I can use sqlclipher (to encrypt my local SQLite DB) and integrate it into my phonegap app. Great, but here I have to keep secret key for database :)

      var db = window.sqlitePlugin.openDatabase({name: "DB", key: "secret1"});

      Any one who have access to the phone can get this secret key. So here I have the same issue:)

      Please, give me any suggestions.

      Thanks!

      p.s. app for iOS and Android

      解决方案

      You have to differentiate between encryption and authentication.

      First, I suggest to use https to encrypt your messages and transfer them securely.

      Second, I suggest to use HMAC for authentication of your messages. It basically works like this:

      • Generate a secret string known to your app and the server at compile time. You store this secret directly in the source code of your app so it is never transmitted to or from the server. This might be the main difference to your private/public key approach: You compile the secret right into your app instead of writing it later in some user accessible storage. "Right into your app" means in the case of Phonegap NOT in your HTML/JS files but in the native source code! You have to bridge the accessor to javascript if necessary.

      • Set a user id (=key; long, random!) in your app when the user starts your app for the first time. If you want to authenticate your users, you probably have some kind of login/password mechanism. (Store the user id as well as an HMAC generated from the user id and the shared secret on the device. Every time you read the user id, check it against the hash to be sure that the user id was not spoofed.)

      In your App

      1. Include a user id in every message.
      2. Include a timestamp in every message.
      3. Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret.
      4. Include the hash value in your request header.

      On the server side

      1. Check if the timestamp is valid, e. g. not older than 2 minutes or so. This prevents replay attacks (at least after 2 minutes).
      2. Check in your database if the user id is valid.
      3. Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret. Including the request URI prevents people to send the same valid request to another URI on your server; e. g. in REST environments it is a big difference if you send the same DELETE request to /comment/1 or /user/1.
      4. Compare it to the hash value submitted in your header, they have to be equal.
      5. If any check fails, send an error. Otherwise send the response.

      There is a chance of getting the shared secret and information about the way how you calculate the HMAC hash by decompiling your source code. I see no way to avoid this risk. ...without diving deeper into native development:

      iOS Keychain

      https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html

      Android security features

      http://developer.android.com/training/articles/security-tips.html

      这篇关于手机应用中的本地存储保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
移动开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆