简体繁体 English

在 iOS 上存储身份验证令牌 - NSUserDefaults 与钥匙串？

[英]Storing authentication tokens on iOS - NSUserDefaults vs Keychain?

原文 2013-05-28 15:10:39 0 3 ios/ objective-c/ api/ nsuserdefaults/ keychain

Which is the place I should be storing tokens for when the user logins in to a service?当用户登录服务时，我应该在哪个位置存储令牌？ I'm not saving passwords (obviously where I'd use the Keychain) but just the token.我没有保存密码（显然我会在那里使用钥匙串），而只是保存令牌。 A lot of places say just use NSUserDefaults but some people on StackOverflow seem really keen on the Keychain.很多地方都说只使用 NSUserDefaults，但 StackOverflow 上的一些人似乎非常热衷于 Keychain。

Is NSUserDefaults fine? NSUserDefaults 好吗？

3 个解决方案

I would highly recommend you use the keychain - it's exactly what Facebook do for storing their session tokens.我强烈建议你使用钥匙串——这正是 Facebook 用来存储他们的会话令牌的方法。

NSUserDefaults is not secure or encrypted - it can be easily opened and read, both on device and when synced to a Mac. NSUserDefaults不安全或不加密 - 它可以在设备上和同步到 Mac 时轻松打开和阅读。 So whilst user defaults is a good place for things like preferences and config info, it's not a good place for anything sensitive, like passwords.因此，虽然用户默认值是首选项和配置信息等内容的好地方，但它不是任何敏感内容的好地方，例如密码。

Session tokens should almost always treated the same as passwords, so you should store them securely in the keychain, where they'll be encrypted.会话令牌几乎总是与密码一样对待，所以你应该将它们安全地存储在钥匙串中，在那里它们将被加密。 Apple have some sample code ( GenericKeychain ) that shows a basic implementation, and you'll find other examples by searching StackOverflow. Apple 有一些示例代码 ( GenericKeychain ) 显示了基本实现，您可以通过搜索 StackOverflow 找到其他示例。 Hope that's helped you out.希望对你有所帮助。

NSUserDefaults can be used without any problems (for tokens!). NSUserDefaults 可以毫无问题地使用（对于令牌！）。 Please check documentation https://developer.apple.com/documentation/security/keychain_services请检查文档https://developer.apple.com/documentation/security/keychain_services

Keychain Services are invented to “secrets” that the user explicitly cares about, ie passwords, private keys or even secure notes, ie clear credentials.钥匙串服务被发明为用户明确关心的“秘密”，即密码、私钥或什至安全笔记，即清晰的凭证。 But access tokens are temporary hashes generated after user entered password and have limited time.但是访问令牌是用户输入密码后生成的临时哈希，时间有限。 And even if stolen, the malefactor cannot completely stole the account - the owner can login on another device and previous access token will be reset.即使被盗，犯罪者也不能完全盗取帐户 - 所有者可以在另一台设备上登录，并且先前的访问令牌将被重置。 So, formally there is no forbiddance to store access tokens in UserDefaults.因此，从形式上讲，没有禁止在 UserDefaults 中存储访问令牌。

The data from UserDefaults can be stolen only if the device is stolen itself, but I think the security level of the content is much lower than the physical device itself. UserDefaults 的数据只有在设备本身被盗的情况下才能被盗，但我认为内容的安全级别远低于物理设备本身。 I think user would not worry about the token in that case, but about the device.我认为在这种情况下用户不会担心令牌，而是担心设备。

However, it's a good practice to store it in Keychain, but it's just an excessive (!) usage of security and usually recommended by random users in the Internet and it's not required by Apple.但是，将它存储在 Keychain 中是一个很好的做法，但这只是对安全性的过度（！）使用，通常由 Internet 上的随机用户推荐，Apple 不要求这样做。 There is no documentation by Apple there they say that tokens must be stored in Keychain (if you can find one, then please comment one below). Apple 没有提供任何文档，他们说令牌必须存储在钥匙串中（如果你能找到一个，请在下面评论一个）。

So, the answer is - you can use both.所以，答案是 - 您可以同时使用两者。 However, if you app is operating with content that costs a lot in contrast to stolen iPhone, then it's better to use Keychain, but it's just a recommendation.但是，如果您的应用程序使用的内容与被盗 iPhone 相比成本很高，那么最好使用 Keychain，但这只是一个建议。

All sensitive data should be stored in the keychain.所有敏感数据都应存储在钥匙串中。 UserDefaults is for small pieces of data like user preferences. UserDefaults适用于用户偏好等小块数据。