在 Settings.bundle 中存储密码并使用 CFPreferencesCopyAppValue 获取的安全隐患 [英] Security implications of storing a password in Settings.bundle and getting with CFPreferencesCopyAppValue
问题描述
对于这个问题看似显而易见,但无论出于何种原因,我都无法在 Apple 文档中找到关于 Settings.bundle 密码信息的存储位置和方式的明确答案.我的问题:如果我需要为应用程序存储一些凭据,并且我使用 Settings.bundle 以便使用 IsSecure = YES 将密码输入到 Apple 设置区域中的 PSTextFieldSpecifier 文本字段中,然后我使用我的应用程序访问该值CFPreferencesCopyAppValue,从不将其写入 NSUserDefaults 并且仅通过网络安全地发送,与在我自己的应用程序设置中使用钥匙串存储和检索密码相比,这种存储和检索方法的安全性如何?感谢您的意见.
Apologies for the seeming obviousness of this question, but for whatever reason I haven't been able to find a definitive answer in the Apple documentation about where and how Settings.bundle password info is stored. My question: if I need to store some credentials for an app, and I use a Settings.bundle so that the password is entered into a PSTextFieldSpecifier textfield in Apple's Settings area with IsSecure = YES, and then I access the value from my app using CFPreferencesCopyAppValue, never writing it out to NSUserDefaults and only sending it over the network securely, how secure is that storage and retrieval method when compared to storing and retrieving the password using the keychain in my own app settings? Thanks for your input.
推荐答案
CFPreferencesCopyAppValue 只是 Core Foundation 访问您在使用 NSUserDefaults 时获得的相同信息的方式.在安全性方面,功能完全相同.也就是说,它没有加密.只有在它被遮蔽的意义上,它才是安全的.正确"的答案是使用钥匙串.
CFPreferencesCopyAppValue is just the Core Foundation way of accessing the same information you get when using NSUserDefaults. In terms of security, the features are exactly the same. That is, it's not encrypted. It's secure only in the sense that it's obscured. The "correct" answer is to use the keychain.
与之相反的是,许多应用程序使用 NSUserDefaults 来存储密码.您可能会争辩说,除非密码控制对任何价值信息的访问,否则尝试使用钥匙串是不值得的.这让我想到了支持在设置应用程序中使用安全字段的第二个论点:钥匙串 API 是可怕的,至少根据我的经验,编写无错误代码是很棘手的.
The counter to that is that many applications use NSUserDefaults to store passwords. You could argue that unless the password controls access to information of any value then it's not worth the effort in trying to use the keychain. Which brings me to the second argument in favour of using a secure field in the Settings application: the keychain API is hideous and, in my experience at least, writing error-free code is tricky.
这篇关于在 Settings.bundle 中存储密码并使用 CFPreferencesCopyAppValue 获取的安全隐患的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
