问题描述
我需要在哪里将与每个请求一起提交的身份验证令牌存储在Android应用程序中?我要求一个安全的存储位置,例如iphone具有钥匙串,Android中是否有等效的服务?共享首选项中的存储是否安全?
Where do I need to store the authentication token which will be submitted with each request in an Android application? I'm asking for a secure storage location, for example iphone has keychain, is there an equivalent service in Android? Is storing in shared preferences secure or not?
推荐答案
在Android 4.3及更高版本中,有一个名为AndoridKeystore的东西,它大致等效于iOS密钥链.这里是一个不错的博客它和官方的 API示例项目.
In Android 4.3+ there is something called AndoridKeystore which is roughly equivalent to iOS key chain. Here's a good blog write up of it and official API sample project.
通常,如果您使用 Context.MODE_PRIVATE
创建共享的首选项,则只能由您的应用程序(或其他由密钥签名的应用程序)访问.但是,如果设备已植根,则用户和任何应用程序都可能读取您应用程序的私人共享首选项.
In general if your create your shared preferences with Context.MODE_PRIVATE
they are only accessible by your application (or other app signed by your key). However if the device is rooted they the user and any app could potentially read your app's private shared preferences.
我帮助创建和维护了一个名为安全首选项的库,以模糊化密钥和值.存储在共享的首选项中,使攻击者更难,然后要求对应用程序进行反向工程(尽管这不是火箭科学).一个很好的替代安全首选项的方法是Mark Murphy的 CWAC-prefs ,它由SQLcipher支持.
I helped create and maintain a library called secure-preferences to obfuscate key and values that are stored in the shared preferences to make it harder for attackers and require then to reverse engineer the app (although that's not rocket science). A good alternative to secure-preferences is CWAC-prefs by Mark Murphy which is backed by SQLcipher.
这篇关于我应该在Android的哪里存储身份验证令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!