如何安全地在Android上存储密码?
[英]How to safely store passwords on Android?
问题描述
The task is to save the entered password(PasswordStr) or mKey.getEncoded byte[] and later automatically send to the Crypto API (Cipher) 
任务是保存输入的密码(PasswordStr)或mKey.getEncoded byte [],然后自动发送到Crypto API(Cipher)
SecretKey mKey = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(PasswordStr.toCharArray());
It is clear that this password can also be encrypted , but this will require another password and so on to infinity. 很明显,这个密码也可以加密,但是这需要另一个密码等等。
May be Android already provides a mechanism for storing passwords? 可能是Android已经提供了存储密码的机制吗?
ps use remote server is not possible. ps使用远程服务器是不可能的。 Need to be stored locally. 需要在本地存储。
3 个解决方案
解决方案1
3 2015-01-25 14:08:40
You can use Android's Keystore API . 您可以使用Android的Keystore API 。
A secret is encrypted by a masterpassword derived from the phone's password or pin. 秘密由来自手机密码或密码的masterpassword加密。 It is regarded as a good software based encryption solution. 它被认为是一种优秀的基于软件的加密解决方案。 Note, that the user must set a password/pin on his phone for this to work. 请注意,用户必须在手机上设置密码/密码才能使用。
Nelenkov gives a good overview: Nelenkov给出了一个很好的概述:
Android's credential storage is implemented as a native Linux service (daemon), with a few extra layers on top of it that make it available to the framework.
- it's a native daemon, started at boot
- it provides a local control socket to allow apps and system services to talk to it
- it encrypts keys using an AES 128 bit master
- key encrypted keys are stored in /data/misc/keystore, one file per key
- the master key is derived from the device unlock password or PIN it
- authorizes administration commands execution and key access based on caller UID
See the Android Documentation for more details. 有关详细信息,请参阅Android文档 。
解决方案2
2 2015-01-25 14:06:36
Check Handling Credentials section on the android developers guide . 在Android开发人员指南中检查处理凭据部分 。 I'll quote it here. 我在这里引用它。
Where possible, username and password should not be stored on the device. 如果可能,用户名和密码不应存储在设备上。 Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived , service-specific authorization token . 而是使用用户提供的用户名和密码执行初始身份验证,然后使用短期服务特定的授权令牌 。
Services that will be accessible to multiple applications should be accessed using AccountManager . 应使用AccountManager访问多个应用程序可访问的服务。 If possible, use the AccountManager class to invoke a cloud-based service and do not store passwords on the device. 如果可能,请使用AccountManager类调用基于云的服务,并且不要在设备上存储密码。
After using AccountManager to retrieve an Account , CREATOR before passing in any credentials, so that you do not inadvertently pass credentials to the wrong application. 使用AccountManager在传入任何凭据之前检索帐户 CREATOR ,这样您就不会无意中将凭据传递给错误的应用程序。
If credentials are to be used only by applications that you create, then you can verify the application which accesses the AccountManager using checkSignature() . 如果凭据仅由您创建的应用程序使用,则可以使用checkSignature()验证访问AccountManager的应用程序。 Alternatively, if only one application will use the credential, you might use a KeyStore for storage. 或者,如果只有一个应用程序将使用该凭据,您可以使用KeyStore进行存储。
解决方案3
0 2015-01-25 13:48:52
you can use SQLCipher for android. 你可以使用SQLCipher for android。 It is an extension of SQLite that provides transparent 256-bit AES encryption of database files 它是SQLite的扩展,为数据库文件提供透明的256位AES加密
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.