Android的共享preference安全 [英] Android SharedPreference security

问题描述

我想知道的共享preferences安全。

是否有可能获得访问共享preferences，即使他们是在MODE_PRIV创建（0）？
是否有可能列出所有的共享preferences可用，然后从其他应用程序获取所有设置？
是共享preferences好地方，把敏感数据，如密码或身份验证令牌？

感谢

解决方案

共享preferences如在设备上的文件系统中的文件存储

。他们是，默认情况下，存储应用程序的数据目录中有文件系统premissions设置只允许特定应用程序运行，来访问它们的UID。于是，他们都是私人在这么多的Linux文件权限限制对它们的访问，同在任何Linux / Unix系统上。

任何对设备的根目录访问将能够看到他们，因为根已经获得的一切文件系统上的。此外，与相同的UID与创建应用程序运行的任何应用程序将能够访问它们（这通常不会做，你需要采取的具体行动，使两个应用程序运行具有相同的UID，所以这可能不是一个大的关心）。最后，如​​果有人能够安装设备的文件系统，而无需使用安装Android操作系统，他们也可以绕过限制访问权限。

如果您担心这样的访问到您的preferences（或写入您的应用程序的任何数据），那么你将要对它进行加密。如果你是关心他们，你将需要弄清楚到底有多少保障的风险，你看到的水平是必要的。有关于这在应用程序安全性的Andr​​oid平台一个非常广泛的讨论，只是发表在2011年12月（免责声明：我这本书的作者）。

I wonder about shared preferences security.

Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
Is sharedpreferences good place to put sensitive data, such as password or auth token?

Thanks

解决方案

Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.

Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.

If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see. There is a very extensive discussion about this in Application Security for the Android Platform, just published in December 2011 (disclaimer: I'm the author of this book).

这篇关于Android的共享preference安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！