1. 技术文章
  2. Storing OAuth keys in code for iPhone apps

Storing OAuth keys in code for iPhone apps

和自甴很熟 提交于 2020-01-13 13:11:22

问题


I'm writing an iPhone app that integrates with third party APIs. These APIs use OAuth (key/secret specific to my app not per user) in order to authenticate which app the request is being made in behalf of.

Is it secure (or how secure) is it to simply put the key/secret in code? Can this sort of data be reverse-engineered? Is there a better way to go about including this data in a project?


回答1:


There is no place on the iPhone to hide data. A user with a jailbroken iPhone has more control over the device than any developer. If possible you should setup a web service such as a REST or SOAP service to take care of these OAuth transactions on behalf of the client.




回答2:


As Rook said earlier, there is no way to hide your data in iPhone. But you can make hacker job so difficult. I just done a work around for the same issue.

  1. Put oAuth key information in PLIST
  2. Mannually I encrypt this PLIST by using AES key and I got encrypted "CIPHER TEXT"
  3. Modify the AES key by appending characters in between with your own logic. Since it required at runtime to decrypt the plist
  4. Add this modified key with plist "CIPHER TEXT" and store this value in New plist.
  5. Remove old plist which has oAuth information

Now you have only one plist which has encrypted value with modified KEY

Advantage:

  1. Hacking is so difficult since hacker don't have a proper cipher text in plist

  2. To hack this code they should know to separate Modified AES key from Cipher text.

  3. Thou they found Modified AES key, they don't have any clue about the appending algorithm, here i simple used EVEN position of the character, but you can't modify this and you can take 3rd or 4th position of the character. Which is actually will differ for each developer

for more information please visit below link;

https://sites.google.com/site/greateindiaclub/mobil-apps/ios/securelystoringoauthkeysiniosapplication




回答3:


I'd suggest looking into the Keychain services provided by Apple

http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html



来源:https://stackoverflow.com/questions/4028883/storing-oauth-keys-in-code-for-iphone-apps

标签
iphone
security
oauth
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!