flutter - 将 Json 配置文件保存为 flutter 中的资产是否安全?
[英]flutter -Is it secure to save Json config file as assets in flutter?
问题描述
I am working on an app, and I want to know what is the best way to store the config file.
我正在开发一个应用程序,我想知道存储配置文件的最佳方式是什么。 Now, I am planning to use a JSON file and save it as assets.现在,我打算使用 JSON 文件并将其保存为资产。 However, the file is important,it should not be accessed by others.但是,该文件很重要,不应被他人访问。
1 个解决方案
解决方案1
7 已采纳 2020-05-09 04:36:46
I am an expert in CyberSecurity and I have some considerations to say.我是网络安全方面的专家,我有一些考虑要说。 The first is that it is impossible for you to totally prevent an attacker from having access to sensitive information, all you can do is make it difficult, often to the point that it takes years to succeed, but there is nothing 100% safe from reverse engineering.首先是你不可能完全阻止攻击者访问敏感信息,你所能做的就是让它变得困难,通常需要数年才能成功,但没有什么是 100% 安全的工程。
The second consideration is: There is only one way that will give the attacker data from the tray, and it can be considered the most vulnerable way to save sensitive data: Save to assets, in a json file.第二个考虑是:只有一种方法可以从托盘中向攻击者提供数据,它可以被认为是保存敏感数据的最易受攻击的方法:保存到资产,在 json 文件中。 It seems ironic that you mention it.你提到它似乎具有讽刺意味。
Json is the most human-readable language that exists (and it is impossible to lose this position, read a file in quotes and its value with: it is intuitive even for those who do not program), if it is in the assets folder, it will be a file totally unprotected after compilation, which can be extracted without decompiling the apk, just using any file roller. Json 是现有的人类可读性最强的语言(并且不可能丢失这个 position,读取带引号的文件及其值:即使对于不编程的人也很直观),如果它位于资产文件夹中,这将是一个编译后完全不受保护的文件,无需反编译apk即可提取,只需使用任何文件滚轮即可。 This is practically saying: look and read my file, I'm begging you for it.这实际上是在说:查看并阅读我的文件,我求你了。
Sensitive data must be stored on the android on the keystore, and on iOS on the Keychain.敏感数据必须存储在 keystore 上的 android 和 Keychain 上的 iOS 上。 There is a Flutter plugin that abstracts this for you ( https://pub.dev/packages/flutter_secure_storage ).有一个 Flutter 插件为您抽象了这个( https://pub.dev/packages/flutter_secure_storage )。
As a specialist in CyberSecurity, I need to tell you that even storing like this, you will not be 100% safe, in fact, security of this level does not exist.作为网络安全专家,我需要告诉你,即使是这样存储,你也不会是 100% 安全的,事实上,这种级别的安全性是不存在的。 But what I recommend that will at least take some work and eliminate 99% of the people who are looking to break your app, is:但我建议至少需要做一些工作并消除 99% 想要破坏您的应用程序的人是:
Convert json to String, and save it in encrypted FSS, without plain text.将 json 转换为字符串,并保存在加密的 FSS 中,没有明文。 When you need the file, take the generated string, decrypt it, and turn it back into json.当您需要该文件时,获取生成的字符串,对其进行解密,然后将其转回 json。 Remembering that the encryption key must also be stored, or if you are going to put it in your code, don't do it with plain text, encrypt it beforehand, or at least convert it to base64 (this is not security, it will only make literal searches difficult), and finally, don't use words like 'token', 'secure', 'secret' as a key, because those are the first words searched.请记住,加密密钥也必须存储,或者如果您要将其放入您的代码中,请不要使用纯文本,预先加密,或至少将其转换为 base64(这不安全,它会只会使文字搜索变得困难),最后,不要使用诸如“令牌”、“安全”、“秘密”之类的词作为密钥,因为这些是搜索的第一个词。 Test something completely unusual, I used magnolia until one of these days (and I'm counting here because I changed).测试一些完全不寻常的东西,直到这些日子的某一天我都使用木兰(我在这里数数是因为我改变了)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.