验证我的Android应用程序用户的最佳方法是什么?
[英]What is the best method to authenticate users for my Android application?
问题描述
I'm working on an Android application that needs users to be registered with us first and then only they can access. 
我正在开发一个Android应用程序,该应用程序需要先向我们注册用户,然后才可以访问。 The information users will get will be really sensitive, so I want a secure method to do this. 用户获得的信息将非常敏感,因此我需要一种安全的方法来执行此操作。 I have never worked on such authenticating feature before with Android, but when I had to do something similar for a web application I would store the passwords MD5 hashed in a MySQL database. 我以前从未在Android上使用过这种身份验证功能,但是当我必须对Web应用程序执行类似操作时,我会将散列的MD5密码存储在MySQL数据库中。 But I think this isn't a quite secure method, is it? 但是我认为这不是一个很安全的方法,对吗?
What can I do to ensure security for my users while authenticating them? 在验证用户身份时,我该怎么做以确保其安全性?
Also, can I use oAuth here? 另外,我可以在这里使用oAuth吗?
1 个解决方案
解决方案1
1 2013-02-22 23:30:20
Yes, you can use oAuth on Android. 是的,您可以在Android上使用oAuth。 You should look at the official Android oAuth2 training http://developer.android.com/training/id-auth/authenticate.html 您应该查看官方的Android oAuth2培训http://developer.android.com/training/id-auth/authenticate.html
If you decide to implement your own authentication method, then storing passwords will be tricky. 如果您决定实施自己的身份验证方法,则存储密码将很棘手。 MD5 is insecure, SHA-256 with salting may be enough. MD5不安全,带盐的SHA-256可能就足够了。 In this scheme you store two things: 在此方案中,您存储两件事:
- The password hash = SHA(password + salt) 密码哈希= SHA(密码+盐)
- The salt which is a random literal. 盐是随机文字。
A good tutorial and a lot of details on this topic can be found on this page 很好的教程和有关此主题的许多详细信息可以在此页面上找到
If you have to deal with high risk data, I suggest you to contact security specialists who can help you create an appropriate solution. 如果您必须处理高风险数据,建议您联系安全专家,他们可以帮助您创建适当的解决方案。 If you do it yourself without experience, then it is most probable that you will fail. 如果您自己没有经验就这样做,那么很可能会失败。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.