[英]Store client secret securely
I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering . 我知道公共客户端不应该使用客户端密钥,因为无论您对它进行多少混淆,它都不会受到逆向工程的保护。
But, the people in charge of the service I am authenticating to don't want to/can't change it. 但是,我正在验证的服务负责人不想/不能改变它。 So, I need to store the client secret and try to protect it from reverse engineering as much as I can. 所以,我需要存储客户端的秘密,尽量保护它免受逆向工程的影响。
So, I thought of encrypting it using at build time using gradle and store it in a file. 所以,我想过使用gradle在构建时加密它并将其存储在文件中。 Then, when I need it at run time I decrypt it. 然后,当我在运行时需要它时,我解密它。 But now I have to solve the problem of how to store the encryption key ... 但现在我必须解决如何存储加密密钥的问题 ......
I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios. 我不太了解安全性,因此,我不知道这是否可以解决,或者Android(min sdk 15)是否为这种情况提供了任何机制。
Any idea? 任何的想法?
This article suggests these options, from less to more secure: 本文提出了这些选项,从更少到更安全:
Store in cleartext 以明文形式存储
Store encrypted using a symmetric key 使用对称密钥加密存储
Using the Android Keystore 使用Android Keystore
Store encrypted using asymmetric keys 使用非对称密钥加密存储
Probably, using a combination of #4 and some way to univocally identify the device would be secure enough 也许,使用#4的组合以及某种方式来明确识别设备将足够安全
Maybe the best option is to use NDK because it can not be decompiled, like Godfrey Nolan points here 也许最好的选择是使用NDK,因为它不能被反编译,就像戈弗雷·诺兰点这里
Here is a resource I found useful that helped me to implement it link to the resource 这是我发现有用的资源,帮助我实现它与资源的链接
Cheers 干杯
As you said, whatever you do, how much you try to hide your key, you can not hide it 100%. 正如你所说,无论你做什么,你试图隐藏你的钥匙多少,你都无法100%隐藏它。 But, if you want to make reverse engineer's work harder; 但是,如果你想让逆向工程师的工作更加努力;
Firstly obfuscate your client (I guess you already do). 首先混淆你的客户端(我猜你已经这样做了)。
Secondly, do not put your key into the client hard-coded. 其次,不要将密钥放入客户端硬编码。 Receive the key after login or user opened the application. 登录后或用户打开应用程序后接收密钥。 And deliver secret key to the client over SSL. 并通过SSL向客户端提供密钥。 Store the secret as byte array and do not save it into the client. 将密钥存储为字节数组,不要将其保存到客户端。 Just store in the memory. 只需存储在内存中。
These steps do not guarantee the safety of the secret key, but makes reverse engineer's job really hard. 这些步骤并不能保证密钥的安全,但却使逆向工程师的工作变得非常困难。
@Semih's answer was on the right track. @Semih的回答是在正确的轨道上。 The secret key part is what needs to be expanded upon. 秘密关键部分是需要扩展的部分。
The secret key is built using the following after the login process is complete 登录过程完成后,使用以下内容构建密钥
Any future requests would involve the following 任何未来的请求都将涉及以下内容
All data being sent from client to the server would be encrypted using JWT the message would be signed by the app's private key and encrypted using the server's public key. 从客户端发送到服务器的所有数据都将使用JWT加密,消息将由应用程序的私钥签名,并使用服务器的公钥进行加密。
The problem is securing #1 anyone can login and get the process started, so how would you prevent that? 问题是保护#1任何人都可以登录并开始进程,那么你将如何防止这种情况发生? The only way I can think of is to do a CAPTCHA check on the login. 我能想到的唯一方法是对登录进行CAPTCHA检查。
The solution pushes the storage of the client secrets to the server rather than on the app itself and protecting it using the app's credentials. 该解决方案将客户端机密的存储推送到服务器而不是应用程序本身,并使用应用程序的凭据保护它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.