如何在Android上安全存储商店敏感日期?
[英]How can I securely store store sensitive date on an Android?
问题描述
I need to have an option to store an authentication key or password for an application that communicates over an SSH tunnel. 
我需要一个选项来存储通过SSH隧道通信的应用程序的身份验证密钥或密码。 What would be the most secure way of storing this without requiring the user to input an key. 在不需要用户输入密钥的情况下,最安全的存储方式是什么。
Can I get something unique and secret from the users google account to use as encryption key for the stored preferences? 我可以从用户的Google帐户中获得一些独特而秘密的信息,用作存储的首选项的加密密钥吗? That way a malicious party would need access to both the users google account and encrypted preferences in order to do any harm. 这样,恶意方就需要访问用户的Google帐户和加密的首选项,以免造成任何伤害。
2 个解决方案
解决方案1
0 2014-08-07 12:44:52
SharedPreferences are basically like cookies, and they are widely used for authentication. SharedPreferences基本上类似于cookie,它们被广泛用于身份验证。 Use password only for first authentication, later use generated token. 仅将密码用于首次身份验证,以后再使用生成的令牌。
In case you worry someone will lose their phone, you could add option to remotely destroy data or encrypt it with password, though reverse hash is possible. 如果您担心有人会丢失手机,可以添加选项以远程销毁数据或使用密码对其进行加密,尽管可以进行反向哈希。
解决方案2
0 2014-08-07 14:09:10
It sounds like Google OAuth would be perfect for your situation, in combination with storing a user token in sharedpreferences and using SSL. 听起来Google OAuth非常适合您的情况,并且可以将用户令牌存储在共享首选项中并使用SSL。
If the user device is compromised by a malicious party that obtains root then you should assume they've retrieved any tokens on the device. 如果用户设备受到获取root的恶意方的破坏,则应假定用户已检索到设备上的所有令牌。 That said, tokens usually have a finite period of validity and can be revoked if you suspect they've been compromised. 就是说,令牌通常具有有限的有效期,如果您怀疑令牌已被盗用,则可以将其吊销。
A similar question was already asked on SO for which there's a pretty good answer . 在SO上已经提出了一个类似的问题, 答案很不错 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.