如何在 Android 应用程序中安全地存储凭据(密码)?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10990821/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to securely store credentials (password) in Android application?
提问by Noor
I want to store the password used for signing in a financial application that I am developing at a secure place. After doing some net surfing I found following options but each of them has certain drawback.
我想将用于登录我正在开发的金融应用程序的密码存储在一个安全的地方。在做了一些网上冲浪后,我发现了以下选项,但每个选项都有一定的缺点。
1) KeyChain.
Only available in OS version 4.
1) 钥匙串。
仅在操作系统版本 4 中可用。
2) Shared Preferences.
It stores data in plain text even though if I encrypt the data then the encryption key can be compromised by decompiling the application code.
2) 共享偏好。
它以纯文本形式存储数据,即使我对数据进行了加密,然后可以通过反编译应用程序代码来破坏加密密钥。
3) Access keystore daemon and store credentials in it.
(http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html)
Requires another password to remember.
3) 访问密钥库守护进程并在其中存储凭据。
( http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html) 需要记住另一个密码。
Please suggest me a better way to secure credential information in android application like IPhone KeyChain.
请给我建议一个更好的方法来保护像 iPhone KeyChain 这样的安卓应用程序中的凭证信息。
采纳答案by Nikolay Elenkov
The is no equivalent of iPhone's KeyChain in Android currently. If you want to keep something secret, don't store it on the device. Or at least, don't store the key/password it is encrypted with on the device. Simple as that.
目前在 Android 中不等同于 iPhone 的 KeyChain。如果您想保守某些秘密,请不要将其存储在设备上。或者至少,不要将用于加密的密钥/密码存储在设备上。就那么简单。
Additionally:
此外:
1) Even on ICS, you cannot use the KeyChain directly to store application secrets (see blog post in 3))
1) 即使在 ICS 上,您也不能直接使用 KeyChain 来存储应用程序机密(请参阅 3 中的博客文章))
2) This is only a problem for rooted phones, or if someone has physical access to the device.
2)这仅是root手机的问题,或者有人可以物理访问该设备。
3) It is a lot better to remember a single password, protecting all of you credentials, than trying to remember multiple passwords. Additionally, on ICS, there is no separate password, the credential storage is protected by the device unlock password.
3) 记住一个密码,保护所有的凭据,比试图记住多个密码要好得多。此外,在 ICS 上,没有单独的密码,凭证存储由设备解锁密码保护。
回答by Durai Amuthan.H
Hashingis the solution don't store credentials as plain text in shared preferences or any medium.
散列是解决方案,不要在共享首选项或任何媒体中将凭据存储为纯文本。
Just salt and hash the password then you may proceed to store it in either sharedPreferences or some embedded db.
只需对密码进行加盐和哈希处理,然后您就可以继续将其存储在 sharedPreferences 或某些嵌入式数据库中。
Here is how it works:
下面是它的工作原理:
Online
在线的
The plain(unhashed) password is sent to server for authentication & authorization upon successful login.
The salt either can be generated and returned from server to client or can be generated at client
Then store it as salt and hash the password and store it.
成功登录后,普通(未散列)密码将发送到服务器进行身份验证和授权。
盐可以生成并从服务器返回到客户端,也可以在客户端生成
然后将其存储为盐并散列密码并存储它。
Offline
离线
We'll hash the user entered password using the salt which we stored
We'll compare with the hash which we stored upon successful login
If both are equal then we'll let the user in else we won't let the user in.
我们将使用我们存储的盐来散列用户输入的密码
我们将与成功登录时存储的哈希值进行比较
如果两者相等,那么我们会让用户进入,否则我们不会让用户进入。
Advantages:
好处:
So Now you don't have to worry about version compatibility.
Even If device is rooted it's so hard to brute force the hash.
Even if someone decompiles/cracks the app it's so hard to reverse engineer
所以现在您不必担心版本兼容性。
即使设备已植根,也很难暴力破解哈希。
即使有人反编译/破解应用程序也很难逆向工程
