Access Tokens Persistence Best Practices (iOS)

久未见 提交于 2019-11-29 00:53:01

问题


Should access tokens for services like Twitter and Facebook be encrypted? In particular, should tokens be stored on the the device's Keychain vs. UserDefaults? What are some possible security issues that could arise if a user's device is stolen/taken

This is what I have come up with so far.

Pros of Keychain: Encrypted

Cons: No way to clean up when user removed app

Pros of UserDefaults: Kept inside the app.

Cons: No encryption.


回答1:


Your UserDefaults 'con' needs amending: no encryption by default. You can encrypt the content yourself using e.g. CommonCrypto, but it needs additional work over storing the plain text.

The point of an OAuth token is that someone who owns that token can use the relevant service without having to present credentials. Therefore, you should protect it like you would protect the password if you had to store that instead, as it has the same value.

If the user's device is stolen, then unless they have passcode-locked their device the thief has the capability to use your app as the user in either of the situations you describe. If you do not encrypt the access token, then they additionally have the capability to extract that and replay it from code under their control.



来源:https://stackoverflow.com/questions/5793128/access-tokens-persistence-best-practices-ios

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!