商店客户端秘密安全 [英] Store client secret securely
问题描述
我知道href="http://tools.ietf.org/html/rfc6819#section-5.2.3.1" rel="nofollow">公共客户端因为,不管你有多少混淆,它不会受到保护,<一个href="http://stackoverflow.com/questions/13854425/how-to-avoid-reverse-engineering-of-an-apk-file">reverse工程。
I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.
不过,该负责人,我要进行身份验证的服务也不想/不能改变它。所以,我需要存储在客户端的秘密,并试图保护它免受逆向工程为尽我所能。
But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.
所以,我觉得在制作的时候用用摇篮,并将其存储在一个文件中对其进行加密的。然后,当我需要它在运行时我解密。但现在我必须要解决的问题如何存储加密密钥
So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...
我不知道很多关于安全性,因此,我不知道这是否可以解决,或者安卓(分SDK 15)提供的任何机制,这样的场景。
I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.
你知道吗?
推荐答案
<一个href="http://www.androidauthority.com/where-is-the-best-place-to-store-a-password-in-your-android-app-597197/"相对=nofollow>这篇文章表明这些选项,从少到多的安全:
This article suggests these options, from less to more secure:
-
存放于明文
Store in cleartext
使用对称密钥加密存储
使用Android密钥库
Using the Android Keystore
用非对称密钥加密储存
也许,使用#4的组合某种方式来唯一地识别设备是的放心大胆的
Probably, using a combination of #4 and some way to univocally identify the device would be secure enough
这篇关于商店客户端秘密安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!