保护本地存储在应用程序中的用户数据的最佳方法是什么?如何测试安全级别? [英] What is the best way to secure user's data saved locally in app and how to test security level?
问题描述
在最近一次对App Store的攻击之后,我一直在想,在app中为用户数据安全性实施的安全措施是否足够? 我知道没有保证的方法可以防止对应用程序的数据和逻辑的攻击,但是我们仍然可以通过实施某种安全性来阻止攻击者.我正在寻找以下问题的答案.
After the recent attack on App Store I was thinking is the security meaures implemented in app for the user data security are enough? I know there is no guaranteed way to prevent attacks to your app’s data and logic but still we can frustrate attackers by implementing some kind of security .I am looking for the answers for the following questions.
- NSUserDefault是否安全?
- 钥匙串访问安全吗?
- NSUserDefault或钥匙串访问"或任何其他推荐的更好的方法是哪个?
- 实施之后,有什么方法可以通过攻击我的应用进行测试吗?
推荐答案
-
存储用于使用
NSURLCredentialStorage
访问远程服务的凭据.当持久性类型为NSURLCredentialPersistencePermanent
或NSURLCredentialPersistenceSynchronizable
时,将使用钥匙串.
Store credentials for accessing remote services using
NSURLCredentialStorage
. This uses the keychain when the persistance type isNSURLCredentialPersistencePermanent
orNSURLCredentialPersistenceSynchronizable
.
直接使用钥匙串存储不适合上述或其他框架(即帐户或HealthKit)的凭据或个人信息类型
Use the keychain directly for storing types of credentials or personal information that does not fit the above or other frameworks (i.e. Accounts or HealthKit)
请勿在NSUserDefaults
中存储敏感信息.
Do not store sensitive information in NSUserDefaults
.
Use the Data Protection APIs for all other local data. This can be done "app wide" using entitlements, or on individual files and directories (using NSFileManager
, NSData
, etc.
对第三方框架和库非常警惕.其中许多捕获诸如用户位置之类的敏感信息并以不安全的方式发送.
Be very wary of 3rd party frameworks and libraries. Many of these capture sensitive information like the user's location and send it insecurely.
您当然可以尝试攻击您的应用程序或雇用公司为您进行攻击.有许多书籍和资源可用于指导如何执行操作,其中更好的书籍和资源之一是移动应用程序黑客手册
You can certainly attempt to attack your application or hire a company to do so for you. There are many books and resources available for guidance on how to do so, one of the better ones is The Mobile Application Hacker's Handbook
这篇关于保护本地存储在应用程序中的用户数据的最佳方法是什么?如何测试安全级别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!