Android 手机上的 OAuth 安全问题?
我正在编写一个将在 Android 手机上运行的客户端应用程序,该应用程序将代表用户与 OAuth 服务器进行交互。我在 Web 服务器上运行 OAuth 服务器端代码,用于在与远程 OAuth 服务器握手时维护 OAuth 会话详细信息。现在我正在争论如何最好地处理智能手机上的客户端注意事项。
对于这个问题,我们假设我过去收到了远程 OAuth 服务器在用户登录并且用户授予我的应用程序访问权限后授予我的访问令牌。我们还假设它是一个“在撤销之前有效”的访问令牌。
当然,主要关心的是实施不会让用户面临风险的东西。最简单的方法是让我的 Web 服务器以加密形式将访问令牌返回到智能手机上的客户端代码,然后将该加密令牌简单地存储在用户的本地存储中。或者,为了获得更严格的安全性,请返回我自己的加密唯一标识符,智能手机上的客户端代码会随每个请求传递该标识符。然后,我的网络服务器可以解密收到的 ID,并在本地数据库中查找最新的访问令牌。这看起来非常安全,除非用户丢失手机。我想我可以在浏览器上实现类似“记住我”选项的功能,这样如果用户没有选中它,那么每个会话都会触发一个新的重新授权会话。
如果我的应用程序正在处理财务信息,那么我什至不会考虑“记住我”选项,但远程 OAuth 服务器背后的应用程序更多的是 Twitter 或 Flickr 的敏感度级别。
我的问题是:
- 我提出的访问令牌管理和 OAuth 处理方案对于我所描述的应用程序来说是否足够健全和安全?
- 有更好的方法吗?如果是这样怎么办?
- 您对 OAuth 和手机还有其他想法或评论吗?
** 更新 - 在这篇文章发布后,在相关问题列表中找到了这些非常有用的线程:
我可以避免将我的 Twitter API 消费者密钥烘焙到我的 iPhone 应用程序二进制文件中吗?
** 更新 2 - 如果您从会话 OAuth 存储切换到 MySQL 等数据库存储,请记住为给定的服务器注册服务器消费者密钥和用户 ID,否则在调用 requestRequestToken 时会出现错误。这个有关 ELance API 的网页有一个很好的示例(查找标题为“步骤 2:获取请求令牌”的部分,并查找包含 updateServer 调用的代码段):
http://www.elance.com/p/api/examples/oauth/php
您必须调整该示例您自己的远程 OAuth 服务器需要。
——罗施勒
I am writing a client application that will run on Android phones that will interact with an OAuth server on the user's behalf. I have the OAuth server side code running on my web server for maintaining the OAuth session details while handshaking with the remote OAuth server. Now I am wrangling with how to best handle the client side considerations on the smart phone.
Let's assume for this question that I have, in the past, received an access token granted to me by the remote OAuth server after they logged the user in and the user granted my application access rights. Let's also assume it is a "good until revoked" access token.
The main concern of course is implementing something that does not leave the user at risk. The simplest method would be to have my web server return the access token to my client code on the smart phone in encrypted form, and simply store that encrypted token in the user's local storage. Or for even tougher security, return my own encrypted unique identifier that my client code on the smart phone passes in with each request. My web server could then decrypt the received ID, and lookup the most recent access token in a local database. This seems pretty secure except in the case of the user losing the phone. I guess I could implement something like the "remember me" option on browser's so if the user does not check it then a new re-authorization session would be triggered every session.
If my application were dealing with financial information then I would not even consider a "remember me" option, but the application behind the remote OAuth server is more on the level of sensitivity of Twitter or Flickr.
My questions are:
- Is my proposed access token management and OAuth handling scheme sound and secure enough for the application I am describing?
- Are there better methods? If so what?
- Any other thoughts or comments you might have on OAuth and mobile phones?
** UPDATE - found these very helpful thread in the related questions list after this post was published:
Can I avoid baking my Twitter API consumer secret into my iPhone app binary?
** UPDATE 2 - If you switch from a Sessions OAuth store to a database store like MySQL, remember to register the server for the given consumer key and user ID or you will get an error when you call requestRequestToken. This web page concerning the ELance API has a nice example (Look for the section titled "Step 2: Get Request Token" and look for the snippet with the updateServer call):
http://www.elance.com/p/api/examples/oauth/php
You'll have to adapt the example for your own remote OAuth server needs.
-- roschler
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我有一些使用 Yandex(俄罗斯排名第一的搜索引擎)OAuth 服务器的经验。他们就是这样做的。OAurh
服务器只能通过 HTTPS 访问。因此,令牌通过网络以加密方式传输。由于它是 HTTPS - 客户端可以通过证书检查来检查服务器的有效性。
此外,他们建议以加密方式存储收到的访问令牌。对于我来说,我有自己的存储实现,它以 3DES 加密的方式将访问令牌存储在 SharedPreferences 中。 3DES 加密的关键是用户选择的“PIN 码”。每次应用程序启动时,它都会请求 PIN,然后尝试解密令牌。
您可以查看我的库实现对其中一项 Yandex 服务的访问(使用 OAuth 授予访问权限)。
I have some experience working with Yandex (No. 1 Russian search engine) OAuth servers. This is how they do it..
OAurh server accessed only by HTTPS. Thus, token is transferred by the network in encrypted manner. As it is HTTPS - client can check servers validity via certificates checking.
Also, they recommend to store received access token in encrypted way. As for me, i have my own storage implementation, which stores access token in 3DES-encrypted way in SharedPreferences. Key to 3DES encryption is a users selected "PIN-code". Each time application starts it is requesting a PIN and then trying to decrypt token.
You can look at my library implementing access to one of the Yandex serices (using OAuth to grant access).