我的安套含有用于推特的Auth消费者秘密。 此时此刻,在明文文本中的<编码>.properties文档中,有人在APK中找不到。
我是否应该采取步骤掩盖它(例如,rot13或储存在混淆的 Java法中)? 或者,我是否实际上避免这样做,因为这样做会造成虚假的安全感?
How do people usually distribute/store OAuth secret in Android apps? How common it is for the secret to be stolen and abused?
真正的问题是,攻击者从偷窃那里得到什么东西......
你们应尽最大的努力保护秘密,但归根结底,有高度动机的黑客总是能够拿到安装的照片中。 因此,这符合秘密的价值,也符合开采的困难。
客户秘密的价值掩盖了申请。 它没有提供用户数据。 然而,由于Twitter支持自动向以前核准的器具(其标识与Twitter的流量)签发证书,攻击者有可能建立一个带有你的秘密的网络,并利用盲目转头偷窃用户数据。
The problem with Twitter s implementation is that they do not ask the developer about the nature of the application. If they did, they would not have issued you a secret to begin with, and would block anyone building a web application using your client credentials and stealing data from users who already approved it.
混淆是一种选择,但是一种弱小的选择。 将秘密带至作为APIC代理人的网络服务器是另一个,但这只是将问题转移到其他地方,因为现在你的用人必须用代理服务器作认证。 然而,如果您要求用户登录网站(可通过网站浏览利用Twitter在网站上登录),这种模式就会有合理的保障。 这样,有人试图滥用你的代理,就要求其用户在你的工作上开立账户,而你的工作是令人强烈的。
简言之,它走在前面,fus倒。 它没有伤害。 考虑采用代理模式。 也许让Twitter知道其安全政策是“不是巨大的”。
我肯定读到。 页: 1
我的建议是,排除钥匙,使之无法轻率地提取,而且你们应该能够从机会和游戏中安全。
Hammer-Lahav认为,不应撤销奥阿特秘密,而只应用于收集统计数字。 希望 推特遵循这项建议。
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...
