java - 在 android 应用程序上存储 client_id 和 client_secret 的安全方法

Question

在我的应用程序中，我需要通过 client_id 和 客户 secret 进行我的 API 调用。
什么是最安全的存储方式 client_id 和 客户 secret 是在安卓应用上吗？
我读过 共享首选项 我确信它们不安全。另请阅读 keystore 但不确定这是否是正确的方法。您能否建议存储此类信息的最安全方式？
谢谢
R

Answer 1

移动 OAuth 授权流程

In my app, I need to pass client_id and client_secret to make my API calls.

在我看来，您没有在您的移动应用程序中使用正确的 OAuth 授权流程，因为您现在使用的需要 client_secret .我认为您可能正在尝试使用用于 m2m(machine to machine) 的流程。授权。
用于移动应用程序的正确流程是带有代码交换证明 key (PKCE) 的授权代码流程。
来自 auth0.com/docs :

The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

您可以读到这是 OAuth 2.0 RFC8252 中推荐的方法。对于 Native Apps，这是关于移动应用程序的最佳实践:

Abstract

OAuth 2.0 authorization requests from native apps should only be madethrough external user-agents, primarily the user's browser. Thisspecification details the security and usability reasons why this isthe case and how native apps and authorization servers can implementthis best practice.

Status of This Memo

This memo documents an Internet Best Current Practice.

This document is a product of the Internet Engineering Task Force(IETF). It represents the consensus of the IETF community. It hasreceived public review and has been approved for publication by theInternet Engineering Steering Group (IESG). Further information onBCPs is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata,and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8252.

在移动应用程序中安全地存储 secret

What is the most secure way of storing client_id and client_secret's on the android app?Also read about Keystore but not sure if that is the right approach. Can you please suggest what would be the most secure way of storing such information?

是的，Android Keystore 是正确的方法。您可以从 Android Security Library 使用它存储您的 secret ，但请记住，攻击者可以使用检测框架在运行时 Hook 到使用 client_id 的代码中。和 client_secret已经解密并提取它们以在您的移动应用程序之外使用。用于此建议的流行检测框架是 Frida :

Inject your own scripts into black-box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

我邀请您阅读 my answer安全地在 Android 中存储客户端证书和 key (.pem) 问题，以查看有关将 Android keystore 与安全库一起使用的更多详细信息，答案包括一些代码示例。
你想加倍努力吗？
在回答安全问题时，我总是喜欢引用 OWASP 基金会的出色工作:
OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide :

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.