让Dropbox的API来访问用户的设备上我的账户 [英] Allow Dropbox API to access my account on user's device

问题描述

作为一名移动开发者，我正在寻找一个解决方案，使我的应用程序的用户下载多个.zip文件，将增加一个模块化感觉我的应用程序。我用的Dropbox API的另一个应用程序，允许用户备份项目的及其的帐户，但现在我需要的用户访问的我的帐户。

As a mobile developer, I'm looking for a solution that allows users of my application to download multiple .zip files that will add a "modular" feel to my application. I've used the Dropbox API in another app to allow users to backup items to their account, but now I need the user to access my account.

有没有办法验证Dropbox的会议为我帐户自动，或只是连接到我的公用文件夹，而用户甚至没有注意到？

Is there a way to authenticate the Dropbox session to my account automatically, or just connect to my Public folder without the user even noticing?

什么是硬编码我访问键和应用程序键/秘密到应用程序中的安全问题？我知道这是很简单的从一个.apk文件获得源$ C ​​$ C，但什么可能有人如何处理这些信息？

What are the security implications of hard-coding my access keys and app key/secret into an application? I know it is fairly simple to get the source code from an .apk, but what could someone do with that information?

推荐答案

这是API而不是预期的目的，但你可以授权您的应用程序的访问令牌手动一次，然后嵌入和访问令牌编程方式在所有重用您的应用程序的实例。 （你需要小心，不小心取消了访问令牌虽然）。有可能的安全性和速率限制使用此方法的关注，虽然，这取决于具体情况。

It's not the intended purpose of the API, but you could authorize an access token for your app manually once, and then embed and reuse that access token programmatically in all instances of your app. (You'd need to be careful not to accidentally revoke that access token though.) There are likely security and rate limiting concerns with this method though, depending on the specifics.

或者，使用链接可能会更容易的其他方法。只需使链接（S）所需的（和的转换为直接如果需要的话），那么<一个href="http://stackoverflow.com/questions/1714761/downaload-a-file-programatically-on-android">download从中的。 （此外，Dropbox是不是当然的CDN，所以要了解带宽限制的。 ）

Or, the other method of using the link would probably be easier. Just make the link(s) desired (and convert to direct if necessary), then download from it. (Also, Dropbox isn't a CDN of course, so be aware of bandwidth limits.)

跟帖回答

如果您嵌入您的应用程序令牌和访问令牌的一个应用程序，攻击者可能会提取这些并随后将具有读/写/删除权限（通过API），以尽可能多你的Dropbox的应用程序的访问（无论是应用程序文件夹或者根据您的API应用程序完全Dropbox的），无论任何限制您的应用程序本身通常会试图执行。出于这个原因，你不会想用这种方法来存储任何私人信息，例如，任何私人用户特定的文件。

If you embed your app token and access token in an app, an attacker could potentially extract those and would then have read/write/delete access (via the API) to as much of your Dropbox as the app has access to (either app folder or full Dropbox depending on your API app), regardless of any restrictions your app itself would normally try to enforce. For this reason, you wouldn't want to use this method to store any private information, e.g., any private user-specific files.

这篇关于让Dropbox的API来访问用户的设备上我的账户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！