商店客户端秘密安全 [英] Store client secret securely

问题描述

我知道href="http://tool​​s.ietf.org/html/rfc6819#section-5.2.3.1" rel="nofollow">公共客户端因为，不管你有多少混淆，它不会受到保护，<一个href="http://stackoverflow.com/questions/13854425/how-to-avoid-reverse-engineering-of-an-apk-file">reverse工程。

I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.

不过，该负责人，我要进行身份验证的服务也不想/不能改变它。所以，我需要存储在客户端的秘密，并试图保护它免受逆向工程为尽我所能。

But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.

所以，我觉得在制作的时候用用摇篮，并将其存储在一个文件中对其进行加密的。然后，当我需要它在运行时我解密。但现在我必须要解决的问题如何存储加密密钥

So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...

我不知道很多关于安全性，因此，我不知道这是否可以解决，或者安卓（分SDK 15）提供的任何机制，这样的场景。

I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.

你知道吗？

推荐答案

<一个href="http://www.androidauthority.com/where-is-the-best-place-to-store-a-password-in-your-android-app-597197/"相对=nofollow>这篇文章表明这些选项，从少到多的安全：

This article suggests these options, from less to more secure:

1. 存放于明文

1. Store in cleartext

使用对称密钥加密存储

使用Android密钥库

Using the Android Keystore

用非对称密钥加密储存

也许，使用＃4的组合某种方式来唯一地识别设备是的放心大胆的

Probably, using a combination of #4 and some way to univocally identify the device would be secure enough

这篇关于商店客户端秘密安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！