xcode 在 iOS 上存储身份验证令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12712260/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Storing authentication token on iOS
提问by ConfusedNoob
I am building an iOS application and the user authenticates with my web service. I don't want them to login every time the app launches (the token lasts a month). So I'd like to cache this on the device somewhere.
我正在构建一个 iOS 应用程序,并且用户使用我的 Web 服务进行身份验证。我不希望他们每次启动应用程序时都登录(令牌持续一个月)。所以我想将它缓存在设备上的某个地方。
What's the best way to do this, securely?
安全地执行此操作的最佳方法是什么?
Can I just rely on the app remaining suspended and keeping the token in 'memory'?
我可以依靠应用程序保持暂停状态并将令牌保留在“内存”中吗?
采纳答案by Lithu T.V
2 options
2个选项
- Make use of NSUserdefault(store as access token or textfield inputs[Remember me option])
- Keychain access(recommended) for doing the job.
- 使用NSUserdefault(存储为访问令牌或文本字段输入[记住我选项])
- 钥匙串访问(推荐)来完成这项工作。
NSUserdefaults is not secure for storing such credible values which is for authentication purpose.Keychain on the other hand is made to do this,safe and secure.
NSUserdefaults 用于存储此类用于身份验证的可信值是不安全的。另一方面,钥匙串就是为了做到这一点,安全可靠。
回答by Victor Ronin
You can't rely that iOS will keep your application forever in the memory. So, you have to save the token to persistent storage at some point.
您不能指望 iOS 会将您的应用程序永远保留在内存中。因此,您必须在某个时候将令牌保存到持久存储中。
Look at Keychain Service for iOS. This is the best place to store things like passwords, tokens and other keys.
查看适用于 iOS 的钥匙串服务。这是存储密码、令牌和其他密钥等内容的最佳位置。
回答by Josh
You can't do it "securely." A token is public knowledge, and as soon as its on your device a hacker could gain access to it no matter what you try to do to protect it. Putting it in the keychain won't change this fact. Even if you store it there, which would make it secure while it's in there, they can simply wait until it expires then snag the next one when it comes in over the wire next time. Your access tokens aren't the thing you need to worry about securing, because you can't, in fact, do that in a mobile environment.
你不能“安全地”做到这一点。令牌是公共知识,只要它在您的设备上,无论您尝试采取什么措施来保护它,黑客都可以访问它。把它放在钥匙串里不会改变这个事实。即使您将它存储在那里,这将确保它在那里时的安全,他们也可以简单地等待它到期,然后在下一次通过电线进入时抓住下一个。您的访问令牌不是您需要担心的安全问题,因为事实上,您无法在移动环境中做到这一点。
What this means is that you can store it anywhere you'd like. NSUserDefaults is fine, the keychain is fine, a database is fine, a text file in your documents directory is fine. All of them are equally secure because a determined hacker can simply wait for the right opportunity to access the data they want. You should instead worry about securing your users' authentication credentials. Make sure you store those in the keychain, and only ever communicate with your API over HTTPS to a server with a valid SSL certificate.
这意味着您可以将它存储在任何您想要的地方。NSUserDefaults 很好,钥匙串很好,数据库很好,文档目录中的文本文件也很好。所有这些都同样安全,因为坚定的黑客可以简单地等待合适的机会访问他们想要的数据。相反,您应该担心保护用户的身份验证凭据。确保将它们存储在钥匙串中,并且只通过 HTTPS 与具有有效 SSL 证书的服务器的 API 进行通信。
