访问令牌持久性最佳实践（iOS） [英] Access Tokens Persistence Best Practices (iOS)

问题描述

是否应加密Twitter和Facebook等服务的访问令牌？
特别是，应该将令牌存储在设备的Keychain vs. UserDefaults中吗？如果用户的设备被盗/被占用，可能会出现哪些安全问题

Should access tokens for services like Twitter and Facebook be encrypted? In particular, should tokens be stored on the the device's Keychain vs. UserDefaults? What are some possible security issues that could arise if a user's device is stolen/taken

这是我到目前为止所提出的。

This is what I have come up with so far.

钥匙串的优点：
加密

缺点：$ b​​ $ b无法清理用户删除应用时

Cons: No way to clean up when user removed app

UserDefaults的优点：
保留在应用内。

Pros of UserDefaults: Kept inside the app.

缺点：$ b​​ $ b无加密。

Cons: No encryption.

推荐答案

您的UserDefaults'con'需要修改：no encryption 默认情况下。您可以使用例如自己加密内容。 CommonCrypto，但它需要额外的工作来存储纯文本。

Your UserDefaults 'con' needs amending: no encryption by default. You can encrypt the content yourself using e.g. CommonCrypto, but it needs additional work over storing the plain text.

OAuth令牌的重点是拥有该令牌的人可以使用相关服务而无需呈现证书。因此，你应该像保护密码一样保护它，如果你必须存储它，因为它具有相同的价值。

The point of an OAuth token is that someone who owns that token can use the relevant service without having to present credentials. Therefore, you should protect it like you would protect the password if you had to store that instead, as it has the same value.

如果用户的设备被盗，那么除非他们有密码锁定他们的设备，小偷有能力在你描述的任何一种情况下使用你的应用程序作为用户。如果您不加密访问令牌，那么他们还可以从其控制下的代码中提取并重放它。

If the user's device is stolen, then unless they have passcode-locked their device the thief has the capability to use your app as the user in either of the situations you describe. If you do not encrypt the access token, then they additionally have the capability to extract that and replay it from code under their control.

这篇关于访问令牌持久性最佳实践（iOS）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！