如何在 Android 中安全地存储访问令牌和机密? [英] How to securely store access token and secret in Android?

问题描述

我将使用 oAuth 从谷歌获取邮件和联系人.我不想每次都要求用户登录以获取访问令牌和机密.据我所知，我需要将它们与我的应用程序一起存储在数据库或 SharedPreferences 中.但我有点担心安全方面的问题.我读到您可以加密和解密令牌，但攻击者很容易反编译您的 apk 和类并获取加密密钥.
在 Android 中安全存储这些令牌的最佳方法是什么?

I am going to use oAuth to fetch mails and contacts from google. I don't want to ask the user each time to log in to obtain an access token and secret. From what I understood, I need to store them with my application either in a database or SharedPreferences. But I am a bit worried about security aspects with that. I read that you can encrypt and decrypt the tokens but it is easy for an attacker to just decompile your apk and classes and get the encryption key.
What's the best method to securely store these tokens in Android?

推荐答案

将它们存储为 shared偏好.这些默认情况下是私有的，其他应用程序无法访问它们.在有 root 权限的设备上，如果用户明确允许访问某个试图读取它们的应用程序，该应用程序可能能够使用它们，但您无法防止这种情况发生.至于加密，您必须要求用户每次都输入解密密码(从而破坏了缓存凭据的目的)，或者将密钥保存到文件中，您会遇到同样的问题.

Store them as shared preferences. Those are by default private, and other apps cannot access them. On a rooted devices, if the user explicitly allows access to some app that is trying to read them, the app might be able to use them, but you cannot protect against that. As for encryption, you have to either require the user to enter the decrypt passphrase every time (thus defeating the purpose of caching credentials), or save the key to a file, and you get the same problem.

存储令牌而不是实际用户名密码有几个好处:

There are a few benefits of storing tokens instead of the actual username password:

• 第三方应用不需要知道密码，用户可以确保他们只将密码发送到原始网站(Facebook、Twitter、Gmail 等)
• 即使有人窃取了令牌，他们也看不到密码(用户也可能在其他网站上使用)
• 令牌通常具有生命周期并在特定时间后到期
• 如果您怀疑令牌已被盗用，则可以撤销令牌

这篇关于如何在 Android 中安全地存储访问令牌和机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！