Android SharedPreference 安全性 [英] Android SharedPreference security
问题描述
我想知道共享偏好的安全性.
I wonder about shared preferences security.
是否可以访问共享首选项,即使它们是在 MODE_PRIV (0) 中创建的?
是否可以列出所有可用的共享首选项,然后从其他应用中获取所有设置?
sharedpreferences 是放置敏感数据(例如密码或身份验证令牌)的好地方吗?
Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?
Is sharedpreferences good place to put sensitive data, such as password or auth token?
谢谢
推荐答案
共享首选项作为文件存储在设备的文件系统中.默认情况下,它们存储在应用程序的数据目录中,并设置了文件系统权限,仅允许特定应用程序运行时使用的 UID 访问它们.因此,它们是私有的,因为 Linux 文件权限限制了对它们的访问,就像在任何 Linux/Unix 系统上一样.
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem permissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
任何对设备具有 root 级别访问权限的人都可以看到它们,因为 root 可以访问文件系统上的所有内容.此外,任何使用与创建应用程序相同的 UID 运行的应用程序都可以访问它们(通常不会这样做,您需要采取特定措施使两个应用程序使用相同的 UID 运行,因此这可能不是什么大问题关心).最后,如果有人能够在不使用已安装的 Android 操作系统的情况下挂载您设备的文件系统,他们也可以绕过限制访问的权限.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
如果您担心此类访问您的首选项(或您的应用程序写入的任何数据),那么您将需要对其进行加密.如果您对它们如此担心,您将需要确切地弄清楚您所看到的风险级别需要多少保护.Android 平台的应用程序安全性 中对此进行了非常广泛的讨论,刚刚发布于2011 年 12 月(免责声明:我是本书的作者).
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see. There is a very extensive discussion about this in Application Security for the Android Platform, just published in December 2011 (disclaimer: I'm the author of this book).
这篇关于Android SharedPreference 安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
