问题描述
我的应用程序需要登录,并且具有Remember username and password
功能.用户名和密码然后用
My app requires login, and I have a Remember username and password
ability. The username and password is then stored with
这种存储用户名和密码的方法有多安全?我担心的是,特别是在Android上,是其他应用程序是否有权访问数据并可以获取登录信息.
How secure is this way of storing the username and password? What I'm worried about, specially on Android, is if other apps have access to the data and can fetch the login info.
该应用程序适用于iOs和Android,我正在使用PhoneGap 2.9
.
The app is for iOs and Android, and I'm using PhoneGap 2.9
.
推荐答案
LocalStorage在通常情况下只能由您的应用访问.它与特定平台(iOS,Android)上的沙箱能够保护您的应用程序数据不被其他应用程序读取一样安全.
LocalStorage is under normal circumstances only accessible by your app. It is as secure as the sandbox on the specific platform (iOS, Android) is able to protect your app's data from being read by other apps.
有时候,沙箱的强度不如您预期.在这些情况下:
Sometimes that sandbox is not as strong as you might expect, e.g. in these cases:
- 设备已植根或越狱
- 制造商未能提供安全更新或用户只是没有更新
- 攻击者可以物理访问设备,例如,如果设备被盗了.
如果攻击者可以访问明文密码和用户名,则他们还可以尝试将其用于其他帐户(而不仅仅是您的服务).因此,如果您的应用程序用户为多个服务使用相同的密码,则攻击者也可以访问这些服务.
If the attacker has access to the cleartext password and username, they could try them also for other accounts (not just your service). So if the user of your app used the same password for multiple services, the attacker could gain access to them as well.
如何存储密码哈希?
对于服务器端应用程序,这是一个好主意,因为它们在受保护的环境中运行(具有访问控制的数据中心,系统工程师负责安全更新).
For server side applications this is a great idea, because they run in a protected environment (datacenters with access control, system engineers taking care of security updates).
另一方面,电话很容易被盗,用户经常不安装安全更新,或者无法安装安全更新.
A phone, on the other hand, is stolen easily, and users often don't or can't install security updates.
如果哈希未加盐,则很容易使用彩虹表获取明文密码.如果哈希值过大,则很容易获得明文密码(对于简单密码).另外,生成不安全的密码哈希也很容易.
If the hash is not salted it is very easy to get the cleartext password using rainbow tables if you got the hash. If the hash is salted it is very easy to get the cleartext password for simple passwords. Also, it's very easy to generate insecure password hashes.
解决方案:存储随机生成的访问令牌:无论密码多么简单或复杂,通过查看令牌获取明文密码都是不可能.
Solution: store randomly generated access tokens: no matter how simple or complex the password is, it's just impossible to get the clear text password by looking at the token.
TL; DR
如果您使用凭据对某种API服务进行身份验证,则应该不将密码和用户名存储在本地,即使是在安全的存储区(例如iOS钥匙串)中.
If you're using the credentials for authentication against some kind of API service, you should not store the password and username locally, even in a secure store such as the iOS keychain.
您应该做的只是存储从该API获得的随机生成的令牌(没有密码哈希!)(类似于存储会话的概念Cookie中的ID,而不是用户/密码组合中的ID).一种可能性是使用OAuth.
What you should do instead is storing only a randomly generated token (NOT a password hash!) you get from that API (similar to the concept of storing the Session ID in a cookie rather than the user/pass combination). One possibility would be to use OAuth.
这样,即使沙箱无法保护数据或手机被盗,您也可以确保真实的凭据永远不会泄漏.
That way you make sure the real credentials can never be leaked, even when the sandbox fails to protect the data or the phone is stolen.
这篇关于使用localStorage存储数据的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!