简体繁体 English

您是否应该使用AccountManager存储Android应用的用户名和密码？

[英]Should you use AccountManager for storing Usernames and Passwords for an Android app?

原文 2012-06-05 00:39:48 3 2 java/ android/ accountmanager/ password-storage/ android-account

I would like to know if one should implement AccountManager to save user credentials such as username, email, passwords etc. I can't find a good reason to use it myself. 我想知道是否应该实施AccountManager来保存用户凭据，如用户名，电子邮件，密码等。我找不到自己使用它的充分理由。

I don't want other applications to have access to the Accounts and I don't really want them showing in the "Accounts and Sync" settings (although maybe that's not a big deal). 我不希望其他应用程序访问Accounts ，我真的不希望它们显示在“帐户和同步”设置中（虽然这可能不是什么大问题）。

So my question is: should I use it? 所以我的问题是：我应该使用它吗？ Pros/cons? 优点缺点？ Can I hide the Accounts from other apps and stop them from appearing in "Accounts and Sync"? 我可以隐藏其他应用程序中的Accounts并阻止它们出现在“帐户和同步”中吗？

2 个解决方案

This accepted answer to this question would probably help you... What should I use Android AccountManager for? 这个问题的接受答案可能对你有帮助...... 我应该使用Android AccountManager做什么？

It should also be pointed out, as mentioned in the above post and also in AccountManager without a SyncAdapter? 还应该指出，如上面的帖子和没有SyncAdapter的AccountManager中所提到的那样？ , that you can't have an AccountManager without a SyncAdapter , so its probably not good to use this for your particular situation. ，你没有没有SyncAdapter的AccountManager ，所以在你的特定情况下使用它可能不好。

I can't see any reason to use an AccountManager specifically for storing this type of information - at the end of the day, its no different to manually storing the data yourself in your own database or file. 我看不出任何理由使用AccountManager专门用于存储此类信息 - 在一天结束时，将数据自己手动存储在您自己的数据库或文件中也没有什么不同。 If anything, it probably complicates things - why don't you just store it in SharedPreferences ? 如果有的话，它可能使事情变得复杂 - 为什么不将它存储在SharedPreferences ？

The only reason I could think of that would encourage the use of AccountManager would be if you want to share your account across a number of different apps, as the data is stored in the central Android datastore which can be accessed by all apps. 我想到的唯一原因是鼓励使用AccountManager ，如果你想在多个不同的应用程序之间共享你的帐户，因为数据存储在可以被所有应用程序访问的中央Android数据存储区中。 However, if this isn't required, I think its probably easier and simpler to just use SharedPreferences 但是，如果不需SharedPreferences ，我认为使用SharedPreferences可能更简单，更简单

Overview 概观

Using an AccountManager to store credentials is a much secure way than storing in a file or a SQL DB. 使用AccountManager存储凭据比存储在文件或SQL DB中更安全。
A file can be retrieved by any other app unlike via AccountManager Android will enforce that only your app will be able to access to the key. 任何其他应用程序都可以检索文件，而不像通过AccountManager，Android将强制只有您的应用程序才能访问该密钥。

But even the AccountManager is not fully secured in case of lost phone for example, see this for more info . 但是，如果丢失手机，即使AccountManager也没有完全安全，请参阅此信息以获取更多信息。

Good practice(s) 良好做法

I would recommend to use the AccountManager and not store the password in clear but the hash. 我建议使用AccountManager，而不是将密码存储为clear而是hash。
And for a better level of security it's even better to store a device dedicated token delivered by the webservice and associated to the account (on the webservice side) and enable the user to revoke the token. 为了更好的安全级别，最好存储由Web服务提供并与帐户相关联的设备专用令牌（在Web服务端）并使用户能够撤销令牌。

Not good 不好

Do not store a clear or even hashed password as a file or in a DB accessible by anyone. 不要存放清晰甚至哈希密码的文件或由任何人访问的数据库。
Never store a clear password but always work with a hash instead. 永远不要存储明确的密码，但始终使用哈希。