I am going to use oAuth to fetch mails and contacts from google. I don't want to ask the user each time to log in to obtain an access token and secret. From what I understood, I need to store them with my application either in a database or SharedPreferences. But I am a bit worried about security aspects with that. I read that you can encrypt and decrypt the tokens but it is easy for an attacker to just decompile your apk and classes and get the encryption key.
What's the best method to securely store these tokens in Android?
ベストアンサー1
Store them as shared preferences. Those are by default private, and other apps cannot access them. On a rooted devices, if the user explicitly allows access to some app that is trying to read them, the app might be able to use them, but you cannot protect against that. As for encryption, you have to either require the user to enter the decrypt passphrase every time (thus defeating the purpose of caching credentials), or save the key to a file, and you get the same problem.
実際のユーザー名とパスワードの代わりにトークンを保存することには、いくつかの利点があります。
- サードパーティのアプリはパスワードを知る必要がなく、ユーザーはパスワードが元のサイト (Facebook、Twitter、Gmail など) にのみ送信されることを確信できます。
- 誰かがトークンを盗んだとしても、パスワードを見ることはできません(ユーザーが他のサイトでも使用している可能性があります)。
- トークンには通常有効期間があり、一定期間後に期限切れになります。
- トークンが侵害された疑いがある場合は取り消される可能性があります