在我的应用程序中,我需要通过 client_id 和 客户 secret 进行我的 API 调用。
什么是最安全的存储方式 client_id 和 客户 secret 是在安卓应用上吗?
我读过 共享首选项 我确信它们不安全。另请阅读 keystore 但不确定这是否是正确的方法。您能否建议存储此类信息的最安全方式?
谢谢
R
最佳答案
移动 OAuth 授权流程
In my app, I need to pass client_id and client_secret to make my API calls.
在我看来,您没有在您的移动应用程序中使用正确的 OAuth 授权流程,因为您现在使用的需要
client_secret .我认为您可能正在尝试使用用于 m2m(machine to machine) 的流程。授权。用于移动应用程序的正确流程是带有代码交换证明 key (PKCE) 的授权代码流程。
来自 auth0.com/docs :
The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.
您可以读到这是 OAuth 2.0 RFC8252 中推荐的方法。对于 Native Apps,这是关于移动应用程序的最佳实践:
Abstract
OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case and how native apps and authorization servers can implement this best practice.
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8252.
在移动应用程序中安全地存储 secret
What is the most secure way of storing client_id and client_secret's on the android app? Also read about Keystore but not sure if that is the right approach. Can you please suggest what would be the most secure way of storing such information?
是的,Android Keystore 是正确的方法。您可以从 Android Security Library 使用它存储您的 secret ,但请记住,攻击者可以使用检测框架在运行时 Hook 到使用
client_id 的代码中。和 client_secret已经解密并提取它们以在您的移动应用程序之外使用。用于此建议的流行检测框架是 Frida :Inject your own scripts into black-box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
我邀请您阅读my answer安全地在 Android 中存储客户端证书和 key (.pem) 问题,以查看有关将 Android keystore 与安全库一起使用的更多详细信息,答案包括一些代码示例。
你想加倍努力吗?
在回答安全问题时,我总是喜欢引用 OWASP 基金会的出色工作:
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide :
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
关于java - 在 android 应用程序上存储 client_id 和 client_secret 的安全方法,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64425326/