在iOS中，如何存储秘密的“密钥”？这将允许我与我的服务器通信？ [英] In iOS, how can I store a secret "key" that will allow me to communicate with my server?

问题描述

我想存储一个我将在REST API请求的标头中使用的密钥（abc123）。我的服务器将检查此密钥。如果匹配abc123，则允许发出请求。

I want to store a secret key ("abc123") that I will use in the header of my REST API requests. My server will check this secret key. If it matches "abc123", then allow the request to be made.

我正在考虑一个简单的解决方案，如：

I'm thinking about a simple solution like:

let secret = "abc123" 

但是会不会有任何挫折？

But are there going to be any downfalls to this?

推荐答案

听起来很疯狂，这可能是最好的解决方案。其他一切都比较复杂，但不太安全。您使用的任何花哨的混淆技术几乎都会像他们找到这个密钥一样快速地进行逆向工程。但这种静态密钥解决方案虽然非常不安全，但几乎与其他解决方案一样安全，同时几乎没有额外的复杂性。我喜欢它。

Crazy as it sounds, this is probably the best solution. Everything else is more complicated, but not much more secure. Any fancy obfuscation techniques you use are just going to be reverse engineered almost as quickly as they'll find this key. But this static key solution, while wildly insecure, is nearly as secure than the other solutions while imposing nearly no extra complexity. I love it.

它几乎会立即被打破，但所有其他解决方案也将如此。所以保持简单。

It will be broken almost immediately, but so will all the other solutions. So keep it simple.

你真正想做的一件事是使用HTTPS和固定你的证书。而且我会选择一个长长的随机密钥，而不是一个字。理想情况下，它应该是一个完全随机的字节串，存储为原始值（而不是字符），因此它在二进制文件中显然不会很突出。如果你想变得疯狂，请在发送之前将SHA256应用到它（因此实际的密钥永远不会显示在你的二进制文件中）。同样，这很容易打破，但这很容易，并且不会浪费很多时间开发。

The one thing that you really want to do here is use HTTPS and pin your certificates. And I'd pick a long, random key that isn't a word. Ideally, it should be a completely random string of bytes, stored as raw values (not characters) so that it doesn't stand out so obviously in your binary. If you want to get crazy, apply a SHA256 to it before sending it (so the actual key never shows up in your binary). Again, this is trivial to break, but it's easy, and won't waste a lot of time developing.

任何超过一小时的努力都不太可能值得努力实现这个功能。如果您对该主题有更多了解，请参阅安全https加密iPhone应用程序到网页及其链接。

It is unlikely that any effort longer than an hour will be worth the trouble to implement this feature. If you want lots more on the topic, see Secure https encryption for iPhone app to webpage and its links.

这篇关于在iOS中，如何存储秘密的“密钥”？这将允许我与我的服务器通信？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！