我应该混淆 Android 应用程序存储的 OAuth 消费者秘密吗? [英] Should I obfuscate OAuth consumer secret stored by Android app?

问题描述

我的 Android 应用程序包含 Twitter API 的 OAuth 消费者机密.目前它以纯文本形式存在于 .properties 文件中，因此有人可以在 APK 中轻松查找.

My Android app contains OAuth consumer secret for Twitter's API. At the moment it's in .properties file in plain text, so it takes zero effort for someone to look it up in APK.

我是否应该采取措施来掩盖它(例如，rot13 或存储在混淆的 Java 代码中)?或者我真的应该避免这样做，因为它会产生虚假的安全感?

Should I take steps to obscure it (like, rot13 or stored in obfuscated Java code)? Or should I actually avoid doing any of that, as it would create false sense of security?

人们通常如何在 Android 应用中分发/存储 OAuth 机密?秘密被盗和滥用的情况有多普遍?

How do people usually distribute/store OAuth secret in Android apps? How common it is for the secret to be stolen and abused?

推荐答案

真正的问题是攻击者从窃取它得到了什么......

The real question is what does an attacker get from stealing it...

您应该尽最大努力保护秘密，但最终，一个积极进取的黑客总是可以在已安装的应用中获得它.所以这是秘密的价值与提取的难度.

You should do your best to protect secrets but at the end, a highly motivated hacker can always get to it in an installed app. So it's the value of the secret vs. difficulty of extraction.

客户端密钥的值是模拟应用程序.它不提供对用户数据的任何访问权限.但是，由于 Twitter 支持向先前批准的应用程序(它们使用 Twitter 流程​​登录)自动颁发凭据，因此攻击者可能会使用您的秘密构建网络应用程序并使用盲重定向窃取用户数据.

The value of the client secret is impersonating the application. It doesn't give any access to user data. However, since Twitter supports automatic issuance of credentials to previously approved apps (their sign-in with Twitter flow), an attacker can potentially build a web app with your secret and steal user data using a blind redirect.

Twitter 实施的问题在于，他们没有向开发人员询问应用程序的性质.如果他们这样做了，他们一开始就不会向您发布机密，并且会阻止任何人使用您的客户端凭据构建 Web 应用程序并从已经批准它的用户那里窃取数据.

The problem with Twitter's implementation is that they do not ask the developer about the nature of the application. If they did, they would not have issued you a secret to begin with, and would block anyone building a web application using your client credentials and stealing data from users who already approved it.

混淆是一种选择，但很弱.将机密移至充当 API 代理的 Web 服务器是另一回事，但这只会将问题移到别处，因为现在您的应用程序必须针对代理服务器进行身份验证.但是，如果您要求用户登录您的站点(可以通过 Web 视图使用 Twitter 登录)，则此模式可能相当安全.这样，试图滥用您的代理的人将需要他们的用户在您的服务上开设帐户，这不是很有吸引力.

Obfuscating is one option, but a weak one. Moving the secret to a web server acting as an API proxy is another, but that just moves the problem elsewhere because now your app has to authenticate against the proxy server. However, this pattern can be reasonably secure if you require users to log into your site (which can use, via web views, Twitter to log in). This way, someone trying to abuse your proxy will need their users to open accounts on your service, which isn't very appealing.

简而言之，继续混淆它.它不痛.也可以考虑使用代理模式.也许让 Twitter 知道他们的安全政策不太好".

In short, go ahead and obfuscate it. It doesn't hurt. Consider using the proxy pattern too. And maybe let Twitter know their security policies are "not great".

这篇关于我应该混淆 Android 应用程序存储的 OAuth 消费者秘密吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！