简体繁体 English

在iOS上存储身份验证令牌

[英]Storing authentication token on iOS

原文 2012-10-03 15:55:55 0 3 iphone/ ios/ xcode/ security/ authentication

I am building an iOS application and the user authenticates with my web service. 我正在构建一个iOS应用程序，用户使用我的Web服务进行身份验证。 I don't want them to login every time the app launches (the token lasts a month). 我不希望他们每次启动应用程序时都会登录（令牌持续一个月）。 So I'd like to cache this on the device somewhere. 所以我想把它缓存在某个地方的设备上。

What's the best way to do this, securely? 安全地做到这一点的最佳方法是什么？

Can I just rely on the app remaining suspended and keeping the token in 'memory'? 我可以依靠应用程序保持暂停并将令牌保留在“内存”中吗？

3 个解决方案

2 options 2个选项

Make use of NSUserdefault (store as access token or textfield inputs[Remember me option]) 使用NSUserdefault （存储为访问令牌或文本字段输入[记住我选项]）
Keychain access(recommended) for doing the job. 用于完成工作的钥匙串访问（推荐）。

NSUserdefaults is not secure for storing such credible values which is for authentication purpose.Keychain on the other hand is made to do this,safe and secure. NSUserdefaults对于存储用于认证目的的可靠值是不安全的。另一方面，Keychain是这样做的，安全可靠。

You can't rely that iOS will keep your application forever in the memory. 您不能相信iOS会将您的应用程序永久保留在内存中。 So, you have to save the token to persistent storage at some point. 因此，您必须在某个时刻将令牌保存到持久存储。

Look at Keychain Service for iOS . 查看iOS的Keychain服务。 This is the best place to store things like passwords, tokens and other keys. 这是存储密码，令牌和其他密钥等内容的最佳位置。

You can't do it "securely." 你不能“安全地”做到这一点。 A token is public knowledge, and as soon as its on your device a hacker could gain access to it no matter what you try to do to protect it. 令牌是公共知识，一旦它在您的设备上，黑客可以获得访问它，无论您尝试做什么来保护它。 Putting it in the keychain won't change this fact. 把它放在钥匙串中不会改变这个事实。 Even if you store it there, which would make it secure while it's in there, they can simply wait until it expires then snag the next one when it comes in over the wire next time. 即使你把它存放在那里，这会使它在那里安全，它们可以简单地等到它过期，然后在下一次通过电线进入时阻止下一个。 Your access tokens aren't the thing you need to worry about securing, because you can't, in fact, do that in a mobile environment. 您访问令牌不是您需要担心的安全问题，因为您实际上无法在移动环境中执行此操作。

What this means is that you can store it anywhere you'd like. 这意味着您可以将它存储在任何您喜欢的地方。 NSUserDefaults is fine, the keychain is fine, a database is fine, a text file in your documents directory is fine. NSUserDefaults很好，钥匙串很好，数据库很好，文档目录中的文本文件很好。 All of them are equally secure because a determined hacker can simply wait for the right opportunity to access the data they want. 所有这些都是同样安全的，因为坚定的黑客可以简单地等待合适的机会访问他们想要的数据。 You should instead worry about securing your users' authentication credentials. 您应该担心保护用户的身份验证凭据。 Make sure you store those in the keychain, and only ever communicate with your API over HTTPS to a server with a valid SSL certificate. 确保将它们存储在钥匙串中，并且只能通过HTTPS与具有有效SSL证书的服务器通信。