英文:
Secure ways of storing client_id's and client_secret's on android app
问题
在我的应用中,我需要传递 client_id 和 client_secret 来进行API调用。
在安卓应用中,存储 client_id 和 client_secret 的最安全方式是什么?
我已经了解了 SharedPreferences,我确定它们是不安全的。我也了解了 Keystore,但不确定是否是正确的方法。你能否建议一下存储这些信息最安全的方式是什么?
谢谢,
R
英文:
In my app, I need to pass client_id and client_secret to make my API calls.
What is the most secure way of storing client_id and client_secret's on the android app?
I have read about SharedPreferences and I am sure they are not secure. Also read about Keystore but not sure if that is the right approach. Can you please suggest what would be the most secure way of storing such information?
Thanks
R
答案1
得分: 4
移动端 OAuth 授权流程
在我的应用中,我需要传递
client_id
和client_secret
以进行 API 调用。
看起来你的移动应用中并没有使用正确的 OAuth 授权流程,因为你目前正在使用的流程需要 client_secret
。我认为你可能在尝试使用适用于 m2m(机器对机器)
授权的流程。
移动应用中应使用的正确流程是带有证明密钥的授权码流程(Authorization Code Flow with Proof Key for Code Exchange,PKCE)。
来自 auth0.com/docs:
增强的 PKCE 授权码流程引入了由调用应用程序创建的、授权服务器可以验证的秘密,称为 Code Verifier。此外,调用应用程序创建 Code Verifier 的变换值,称为 Code Challenge,并通过 HTTPS 发送此值以检索授权码。这样,恶意攻击者只能拦截授权码,而不能在没有 Code Verifier 的情况下将其交换为令牌。
你可以从 OAuth 2.0 的 RFC8252 中了解到,这是原生应用的推荐做法,该文档介绍了移动应用的最佳实践:
摘要
原生应用程序发起的 OAuth 2.0 授权请求应仅通过外部用户代理(主要是用户的浏览器)进行。
本规范详细介绍了这样做的安全性和可用性原因,以及原生应用程序和授权服务器如何实现这一最佳实践。本备忘录的状态
本备忘录记录了互联网最佳现行做法。
本文件是互联网工程任务组(IETF)的产品。它代表了 IETF 社区的共识。
经过公开审查,并获得了互联网工程指导组(IESG)的发布批准。
关于本文件当前状态的信息、勘误表以及如何就文件提供反馈,可在 RFC 7841 的第 2 节中找到。
安全地在移动应用中存储秘密信息
在 Android 应用中,最安全的存储
client_id
和client_secret
的方式是什么?
我也了解了密钥库,但不确定是否是正确的方法。请您建议存储这些信息的最安全方式是什么?
是的,Android 密钥库(Keystore)是正确的选择。你可以使用来自 Android 安全库 的密钥库来存储你的秘密信息,但要注意,攻击者可以使用插桩框架在运行时挂钩到已解密 client_id
和 client_secret
的代码,并将其提取出来以在移动应用之外使用。用于此目的的一个常用插桩框架是 Frida:
将你的脚本注入黑盒进程中。挂钩任何函数,监视加密 API 或跟踪私有应用程序代码,无需源代码。编辑,保存,即可立即看到结果。无需编译步骤或程序重新启动。
我邀请你阅读我在问题 在 Android 中安全地存储客户端证书和密钥(.pem) 上的回答,以查看有关如何在安全库中使用 Android 密钥库的更多详细信息,答案中包含一些代码示例。
愿你更上一层楼
在回答任何安全性问题时,我总是喜欢提及 OWASP 基金会的优秀工作:
OWASP 移动安全项目是一个集中的资源,旨在为开发人员和安全团队提供构建和维护安全移动应用程序所需的资源。通过该项目,我们的目标是对移动安全风险进行分类,并提供开发控制措施,以降低其影响或被利用的可能性。
移动安全测试指南(MSTG)是一本全面的手册,用于移动应用程序安全开发、测试和逆向工程。
英文:
Mobile OAuth Authorization flow
> In my app, I need to pass client_id and client_secret to make my API calls.
It seems to me that you are not using the correct OAuth authorization flow in your mobile app because the one you are using now requires the client_secret
. I think you may be trying to use the flow meant for m2m(machine to machine)
authorization.
The correct flow to use for a mobile app is the Authorization Code Flow with Proof Key for Code Exchange (PKCE).
From auth0.com/docs:
> The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.
You can read that this is the recommended approach in the OAuth 2.0 RFC8252 for Native Apps, that is about the best practices for mobile apps:
> ### Abstract
>
> OAuth 2.0 authorization requests from native apps should only be made
> through external user-agents, primarily the user's browser. This
> specification details the security and usability reasons why this is
> the case and how native apps and authorization servers can implement
> this best practice.
>
> ### Status of This Memo
>
> This memo documents an Internet Best Current Practice.
>
> This document is a product of the Internet Engineering Task Force
> (IETF). It represents the consensus of the IETF community. It has
> received public review and has been approved for publication by the
> Internet Engineering Steering Group (IESG). Further information on
> BCPs is available in Section 2 of RFC 7841.
>
> Information about the current status of this document, any errata,
> and how to provide feedback on it may be obtained at
> https://www.rfc-editor.org/info/rfc8252.
Securely storing secrets in the mobile app
> What is the most secure way of storing client_id and client_secret's on the android app?
> Also read about Keystore but not sure if that is the right approach. Can you please suggest what would be the most secure way of storing such information?
Yes, the Android Keystore is the correct way to go. You can use it from the Android Security Library to store your secrets but bear in mind that an attacker can use an instrumentation framework to hook at runtime into the code that uses the client_id
and client_secret
already decrypted and extract them for use outside of your mobile app. A popular instrumentation framework used for this propose is Frida:
> Inject your own scripts into black-box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
I invite you to read my answer to the question Store Client Certificate and key (.pem) in Android securely to see more details about using the Android Keystore with the security library, and the answer includes some code examples.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation:
OWASP Mobile Security Project - Top 10 risks
> The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
> The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
答案2
得分: 3
最佳方法是使用Android的Keystore。它将为您处理密钥生成和存储。您的应用将通过KeyChain API进行通信,该API提供以下优势:
- 它会为您执行所有的加密操作
- 难以从设备中提取
- 每个应用只能访问自己的密钥(由Keystore强制执行)
在钥匙串中保护用户的机密信息
英文:
The best approach is to use Android's Keystore. It will handle the key generation, storage for you. Your app will be communicating through KeyChain API which offers the following advantages:
- It performs all the cryptography for you
- Hard to extract from device
- Each app can only access their own keys (enforced by Keystore)
Securing the user's secrets in a keychain
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论