【问题标题】:Accessing password from field in a secure way以安全的方式从现场访问密码
【发布时间】:2016-11-23 10:37:09
【问题描述】:
String basicAuth = "Basic " + Base64.encodeToString( (emailText.getText().toString() + ":" + passwordText.getText().toString()).getBytes(), Base64.NO_WRAP);

如何处理。我需要制作基本的身份验证令牌。输入密码后,可以在调试器中的EditText passwordText中找到密码。这会显示在内存转储中吗?不仅如此 getText().toString() 字符串会在内存中保留一段时间吗?我知道您可以轻松找到令牌,但这不是重点,重点是没有人能够找到您的密码。我该怎么办?

【问题讨论】:

    标签: android security passwords


    【解决方案1】:

    这是我正在使用的。 AES 加密存储敏感数据

    package com.myapp.utilities;
    
    import android.content.Context;
    import android.provider.Settings;
    import android.text.TextUtils;
    import android.util.Base64;
    
    import java.security.MessageDigest;
    import java.security.spec.AlgorithmParameterSpec;
    
    import javax.crypto.Cipher;
    import javax.crypto.spec.IvParameterSpec;
    import javax.crypto.spec.SecretKeySpec;
    
    public class Security {
        private static final String TAG = Security.class.getSimpleName();
    
        private Cipher cipher;
        private SecretKeySpec key;
        private AlgorithmParameterSpec spec;
    
        public Security(Context context) throws Exception {
            // hash password with SHA-256 and crop the output to 128-bit for key
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
    
            String secret = Settings.Secure.getString(context.getContentResolver(), Settings.Secure.ANDROID_ID);
    //        secret = "asjldknfajlsdbc DCNJANSDKJNACSDCnmcnc ###";
    
            digest.update(secret.getBytes("UTF-8"));
            byte[] keyBytes = new byte[32];
            System.arraycopy(digest.digest(), 0, keyBytes, 0, keyBytes.length);
    
            cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            key = new SecretKeySpec(keyBytes, "AES");
            spec = getIV();
        }
    
        public AlgorithmParameterSpec getIV(){
            byte[] iv = {
                    (byte) 0x8E, 0x12, 0x39, (byte) 0x9C, 0x07, 0x72, 0x6F, 0x5A,
                    (byte) 0x8E, 0x12, 0x39, (byte) 0x9C, 0x07, 0x72, 0x6F, 0x5A
            };
            IvParameterSpec ivParameterSpec;
            ivParameterSpec = new IvParameterSpec(iv);
    
            return ivParameterSpec;
        }
    
        public String encrypt(String plainText) throws Exception{
            if (!TextUtils.isEmpty(plainText)) {
                cipher.init(Cipher.ENCRYPT_MODE, key, spec);
                return new String(Base64.encode(cipher.doFinal(plainText.getBytes("UTF-8")), Base64.DEFAULT), "UTF-8");
            }
            return null;
        }
    
        public String decrypt(String cryptedText) throws Exception {
            if (!TextUtils.isEmpty(cryptedText)) {
                cipher.init(Cipher.DECRYPT_MODE, key, spec);
                return new String(cipher.doFinal(Base64.decode(cryptedText, Base64.DEFAULT)), "UTF-8");
            }
            return null;
        }
    }
    

    关于内存转储的问题,它仍然在手机内,并且没有泄漏到手机外。您将通过网络发送加密数据而不是简单数据。显然,键盘记录器或类似工具可以轻松检测到这一切,但有多少人会这样做呢?谁将在输入密码时即时加密字符串?

    【讨论】:

      猜你喜欢
      • 2015-11-05
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2013-12-15
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2013-04-02
      相关资源
      最近更新 更多