java 您应该使用 AccountManager 来存储 Android 应用程序的用户名和密码吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10890211/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Should you use AccountManager for storing Usernames and Passwords for an Android app?
提问by HGPB
I would like to know if one should implement AccountManagerto save user credentials such as username, email, passwords etc. I can't find a good reason to use it myself.
我想知道是否应该实施AccountManager以保存用户凭据,例如用户名、电子邮件、密码等。我找不到自己使用它的充分理由。
I don't want other applications to have access to the Accountsand I don't really want them showing in the "Accounts and Sync" settings (although maybe that's not a big deal).
我不希望其他应用程序访问Accounts并且我真的不希望它们显示在“帐户和同步”设置中(尽管这可能没什么大不了的)。
So my question is: should I use it? Pros/cons? Can I hide the Accountsfrom other apps and stop them from appearing in "Accounts and Sync"?
所以我的问题是:我应该使用它吗?优点缺点?我可以对Accounts其他应用程序隐藏并阻止它们出现在“帐户和同步”中吗?
采纳答案by wattostudios
This accepted answer to this question would probably help you... What should I use Android AccountManager for?
这个问题的公认答案可能会帮助你...... 我应该使用Android AccountManager做什么?
It should also be pointed out, as mentioned in the above post and also in AccountManager without a SyncAdapter?, that you can't have an AccountManagerwithout a SyncAdapter, so its probably not good to use this for your particular situation.
还应该指出的是,如上一篇文章以及没有 SyncAdapter 的 AccountManager 中提到的那样?, 你不能AccountManager没有 a SyncAdapter,所以在你的特定情况下使用它可能不好。
I can't see any reason to use an AccountManagerspecifically for storing this type of information - at the end of the day, its no different to manually storing the data yourself in your own database or file. If anything, it probably complicates things - why don't you just store it in SharedPreferences?
我看不出有任何理由AccountManager专门用于存储此类信息——归根结底,与自己手动将数据存储在自己的数据库或文件中没有什么不同。如果有的话,它可能会使事情复杂化 - 你为什么不把它存储在SharedPreferences?
The only reason I could think of that would encourage the use of AccountManagerwould be if you want to share your account across a number of different apps, as the data is stored in the central Android datastore which can be accessed by all apps. However, if this isn't required, I think its probably easier and simpler to just use SharedPreferences
我认为鼓励使用的唯一原因AccountManager是,如果您想在多个不同的应用程序之间共享您的帐户,因为数据存储在所有应用程序都可以访问的中央 Android 数据存储区中。但是,如果这不是必需的,我认为它可能更容易和更简单地使用SharedPreferences
回答by Joan
Overview
概述
Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB.
A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key.
使用 AccountManager 存储凭证比存储在文件或 SQL DB 中更安全。
与通过 AccountManager 不同,任何其他应用都可以检索文件,Android 将强制只有您的应用才能访问密钥。
But even the AccountManager is not fully secured in case of lost phone for example, see this for more info.
但即使是 AccountManager 也不是完全安全的,例如在丢失手机的情况下,请参阅此了解更多信息。
Good practice(s)
良好做法
- I would recommend to use the AccountManager and notstore the password in clear but the hash.
- And for a better level of security it's even better to store a device dedicated token delivered by the webservice and associated to the account (on the webservice side) and enable the user to revoke the token.
- 我建议使用 AccountManager,而不是将密码以明文形式存储,而是以散列形式存储。
- 为了获得更好的安全级别,最好存储由网络服务提供并与帐户相关联的设备专用令牌(在网络服务端),并使用户能够撤销令牌。
Not good
不好
- Do notstore a clear or even hashed password as a file or in a DB accessible by anyone.
- Never store a clear password but always work with a hash instead.
- 难道不是存储清晰甚至哈希密码的文件或由任何人访问的数据库。
- 永远不要存储清晰的密码,而是始终使用哈希值。
