比如说,我正在实现一个已安装的应用程序(桌面应用程序和 Android 应用程序),它将访问 Google 服务。我为了避免用户必须多次登录,我决定将其保存requestToken到accessToken他的本地设备。
在我浏览了几个教程后,例如http://blog.doityourselfandroid.com/2011/08/06/oauth-2-0-flow-android/,我发现这是大多数人正在做的事情。
但是,我担心的是,这样做安全吗?如果黑客从用户本地设备中获取了保存requestToken的内容怎么办?accessToken安全性会受到损害吗?黑客可以伪装成真正的用户吗?
请注意,因为该应用程序将是开源的。因此,任何人都可以访问clientID和clientSecret使用特定的 Google API。
I have also used app token in my application. I have saved it to SharedPrefs with Private mode as:
final SharedPreferences prefs = getSharedPreferences(
"app token", Context.MODE_PRIVATE);
When you save a sharedPref with Private mode, it can only be accessed by the calling application (or all applications sharing the same user ID). And whenever user logs out, clear all the sharedPrefs, so that, there will not be any copy of your app token saved in local storage of the device. This should be safe to use, and security will be ensured.
Update: App token should not be stored in SharedPreference since if the device is rooted, the sharedPrefs file can be exposed. AccountManager can be used to store token but again it can also be exposed if device is rooted. Best way is to encrypt a token with a strong encryption algo and then save it into AccountManager. The key used for encryption should be unique with every user and device combination so that even if key is compromised, hacker would be able to retrieve only data for that specific user and not all.