堆栈内存溢出
  简体   繁体   English

如何在Android设备上安全保存SharedPreference?

[英]How to securely save a SharedPreference on Android device?

 原文  2012-10-01 17:22:42       android/ encryption/ obfuscation/ sharedpreferences/ proguard

问题描述

I have a few SharedPreferences that I would like to save on the device itself as securely as possible. 我有一些SharedPreferences,我想尽可能安全地保存在设备本身上。 I know nothing about security but I found from a bit of research that what I want is something called an "obfuscator". 我对安全性一无所知,但通过一些研究发现,我想要的是一种称为“混淆器”的东西。 Is that right? 那正确吗? Is that different from "encryption", or do I want to do both? 这和“加密”有什么不同吗,还是我想两者都做? I've also found that I can use AESObfuscator or ProGuard . 我还发现我可以使用AESObfuscatorProGuard What are the differences? 有什么区别? Are there even more options? 还有更多选择吗? Which should I use? 我应该使用哪个?

I'm obviously very new to security so any tutorials or other references would be helpful. 我显然对安全性很陌生,因此任何教程或其他参考资料都将有所帮助。

4 个解决方案

解决方案1
 4  2012-10-01 18:12:24

An Obfuscator will do nothing for you in this situation, as all it does essentially is rename variables to non-human readable names. 在这种情况下,混淆器将无济于事,因为它所做的基本上就是将变量重命名为非人类可读的名称。

What you are going to want to do is encrypt the data as it is saved into your SharedPreferences and un-encrypt it when you read it from them. 您要做的是对数据进行加密,因为它已保存到您的SharedPreferences并在您从它们读取数据时对其进行了解密。

An example of this idea Encrypted SharedPrefs , i can not speak for how effective it is i have not used above before. 这个想法的例子是Encrypted SharedPrefs ,我无法说出我之前没有使用过的有效性。

解决方案2
 2 已采纳  2012-10-02 03:12:04

The linked AESObfuscator encrypts strings with a static key, so that they can be saved to shared prefs and it is not immediately obvious what they are. 链接的AESObfuscator使用静态密钥对字符串进行加密,以便可以将它们保存到共享首选项中,并且它们的含义并不立即显而易见。 This is different from a code obfuscator such as ProGuard, which mangles method and variable names in your code to make it harder to reverse-engineer. 这与诸如ProGuard之类的代码混淆器不同,后者混淆了代码中的方法和变量名,从而使反向工程更加困难。 It is called 'obfuscation' and not 'encryptoin' because the key is in the app, and it is fairly easy to reverse (by extracting the key and decrypting). 它被称为“混淆”而不是“加密”,因为密钥在应用程序中,并且相当容易反向(通过提取密钥并解密)。 Shared prefs obfuscation will make it harder to read and modify the strings, but not impossible. 共享的首选项混淆会使读取和修改字符串变得更加困难,但并非没有可能。 If you are OK with that level of protection, do use this method. 如果您对这种保护级别感到满意,请使用此方法。 Using code obfuscation is also a good idea, so you'd want to use both. 使用代码混淆也是一个好主意,因此您需要同时使用两者。

The only supported way to make it 'impossible' to decrypt the strings is to have the user enter a password each time they use the app and derive the encryption key from it. 使其“不可能”解密字符串的唯一受支持方法是让用户每次使用该应用程序时都输入一个密码,并从中获取加密密钥。 This works, but is, needless to say, not very user friendly. 这有效,但是不用说,它不是非常用户友好的。 If you are interested, here are some details . 如果您有兴趣,这里有一些细节

解决方案3
 0  2012-10-01 18:02:24

I did some research about this problem when I needed to "hide" some URLs in Java files. 当我需要“隐藏” Java文件中的某些URL时,我对此进行了一些研究。 In your case it will be some sort of secret key to encrypt your Strings. 在您的情况下,将使用某种秘密密钥来加密您的字符串。 There is the problem that whole code in Java/Android can be read by anyone using some sort of reverse engineering. 存在一个问题,任何使用某种反向工程的人都可以阅读Java / Android中的整个代码。 Sometimes it's pretty easy and obfuscators like ProGuard make it little bit harder. 有时候,这很容易,像ProGuard这样的混淆器会使它变得更难一点。 So your encrypting key will be visible to anyone. 因此,您的加密密钥将对任何人都可见。 There are some (paid) obfuscators which can hide even Strings in Java files, but I'm not sure how solid they are. 有一些(收费的)混淆器甚至可以将字符串隐藏在Java文件中,但是我不确定它们的坚固程度。
In short - save your Strings outside of the device on your server and use some sort of secure connection between your device and server (SSL). 简而言之-将您的字符串保存在服务器上设备之外,并在设备和服务器(SSL)之间使用某种安全连接。 Or you can ask your server to crypt it and send it back to you. 或者,您可以要求服务器对其进行加密,然后将其发送回给您。 If you save your secret key on the device you can be never sure if someone will use reverse engineering to read it. 如果您将密钥保存在设备上,则无法确定是否有人会使用逆向工程来读取它。

解决方案4
 0  2012-10-01 18:20:58

The only secure way is not to keep any sensitive information on the device - if it is there, it will be extracted, provided its value is more than time of somebody who does work (and skilled kids in 3rd world country are really cheap, in terms of money and rich on time). 唯一安全的方法是不将任何敏感信息保留在设备上-如果存在,它将被提取出来,前提是其价值超过了工作人员的时间(而且第三世界国家的熟练孩子真的很便宜,金钱和准时富裕)。 You may look how this is done with OAuth - this technology allows to login 3rd party apps (for example) to twitter without compromising security credentials (or app ever seeing them) 您可能会发现OAuth是如何完成的-这种技术允许将第3方应用程序(例如)登录到Twitter,而不会损害安全凭证(或曾经见过的应用程序)

One good library is: http://code.google.com/p/oauth-signpost/ 一个很好的库是: http : //code.google.com/p/oauth-signpost/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 Android 中使用 SharedPreference 保存在线数据 - How to save online data with SharedPreference in Android Android:在SharedPreference中保存一个ArrayList - Android: Save a ArrayList in SharedPreference 如何安全地将数据存储在android设备中? - How store the data in android device securely? 如何在SharedPreference中保存数据 - How to save data in SharedPreference 如何在 sharedpreference 中保存密码? - How to save password in sharedpreference? 如何在android中安全地保存密钥 - How to save secret key securely in android 如何在android中安全地保存Oauth Access令牌 - How to save Oauth Access token securely in android 使用SharedPreference在Android中保存活动? - Using SharedPreference to save an activity in android? Android将Edittexts的值保存在SharedPreference中 - Android Save values of Edittexts in SharedPreference SharedPreference无法在Android上保存 - SharedPreference doesn't save on Android
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM