在本地而非服务器端执行某些操作是否安全? [英] Is it safe to do certain things on local side rather than server side?
问题描述
假设我有一个iPhone应用程序,该应用程序通过PHP API与服务器上的数据库通信,并且在将用户ID之类的内容保存到$_SESSION
Let's say I have an iPhone app that communicates with a database on a server through a PHP API, and I have problems with saving something like the user id in $_SESSION (you know, this can be painful sometimes), so alternatively, I can store it in NSUserDefaults or iPhone keychain, and send it to the server when needed, is it wrong/not safe to do such things on the app side rather than the server side?
推荐答案
As per this thread regarding NSUserDefaults: On a normal device you can't really get at it, but if it's jailbroken the plist file is easy to read and change, it is not encrypted in anyway, so it's probably not safe for usernames, passwords or any personal information unless when you save it, you do some sort of encryption hash and then save that.
另一方面,您可以尝试 iOS钥匙串或iCloud钥匙串.它在此处表示:
On the other hand you can try iOS Keychain or the iCloud Keychain. It says here that:
这非常安全,因为任何尝试读取iCloud钥匙串的新设备都需要以下条件之一:
It's pretty secure, since any new device attempting to read your iCloud Keychain requires one of the following:
-
您现有的设备之一通过带有手动接受的推送通知来验证连接.
One of your existing devices verifies the connection through a push notification with manual acceptance.
在其他设备上启用iCloud钥匙串时,使用iCloud钥匙串的其他设备会收到通知,要求批准该其他设备.批准其他设备后,您的iCloud钥匙串会自动开始在该设备上更新.
When you enable iCloud Keychain on an additional device, your other devices that use iCloud Keychain receive a notification requesting approval for the additional device. After you approve the additional device, your iCloud Keychain automatically begins updating on that device.
您的iCloud安全代码
Your iCloud Security Code
设置iCloud钥匙串时,系统会要求您创建一个iCloud安全代码.它可以是类似于设备密码锁的4位数代码,也可以是为您自动生成的更复杂的代码. iCloud安全代码用于授权其他设备使用您的iCloud钥匙串.它还用于验证您的身份,以便您可以执行其他iCloud钥匙串操作,例如,如果丢失了所有设备,则可以恢复iCloud钥匙串.
When you set up iCloud Keychain, you're asked to create an iCloud Security Code. It can be a 4-digit code similar to the passcode lock for your device, or you can have a more complex code automatically generated for you. The iCloud Security Code is used to authorize additional devices to use your iCloud Keychain. It's also used to verify your identify so that you can perform other iCloud Keychain actions, such as recovering your iCloud Keychain if you lose all your devices.
手机短信验证.
正在使用您首次设置iCloud钥匙串时提供的支持SMS的电话号码的设备.验证码通过SMS发送到该电话号码.如果您无权访问此号码,请联系Apple支持,该人可以验证您的身份,以便您可以在新设备上完成设置.
The device that is using the SMS-capable phone number you provided when you first set up iCloud Keychain. A verification code is sent via SMS to this phone number. If you don't have access to this number, contact Apple Support, who can verify your identity so that you can complete setup on your new device.
此外,您还可以通过启用两因素身份验证来保护iCloud帐户/Apple ID 因此,在许多情况下-在新设备上使用密码时,除了Apple发送的自动电子邮件之外,在新设备上首次使用iCloud密码还会触发推送通知警告.
Furthermore, you can also protect your iCloud account / Apple ID by enabling two factor authentication so that in many cases - the first use of your iCloud password on a new device triggers a push notification warning in addition to the automatic email that Apple sends when your password is used on a new device.
总结:
- 在iCloud的新设备上使用密码时,您会收到电子邮件通知-无需选择加入步骤.
- 钥匙串同步具有增强的保护功能/引入了两因素身份验证,再次不需要加入.
- 您可以选择加入AppleID两因素身份验证,以进一步防止密码丢失/窃听.
这篇关于在本地而非服务器端执行某些操作是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
