在我的Objective C代码中,我的代码中有一个使用者密钥和密码,用于SHA-1加密。我想知道的是我是否可以避免硬编码来提高安全性。我发现有以下几种到目前为止,如何避免硬编码加密密钥(目标C)?
损害了在源代码中声明的静态密钥。磁盘上的这些密钥应该被破坏,以防止对手分析和拦截原始密钥;
接下来,应用程序应在需要密钥的代码使用之前修复密钥;
紧接在使用密钥之前,应用程序应执行密钥值的校验和以验证未损坏的密钥与代码在构建时声明的值相匹配;和
最后,应用程序应该立即重新损坏内存中的密钥后,应用程序已完成使用它的特定呼叫。
找到2 https://github.com/UrbanApps/UAObfuscatedString
有人可以帮我吗?
示例代码:
+ (NSString *) getOauthHeaderForRequestString:(NSString *)requestString {
NSString *oauthConsumerKey = @"<consumer key which I want avoid hardcoding>";
NSString *oauthConsumerSecret = @"<consumer secret which I want to avoid hardcoding>";
NSString *oauthSignatureMethod = @"HMAC-SHA1";
NSString *oauthVersion = @"1.0";
NSString *oauthNonce = [self generateNonce];
NSString *oauthtimestamp = [NSString stringWithFormat:@"%d", (int)[[NSDate date] timeIntervalSince1970]];
NSArray * params = [NSArray arrayWithObjects:
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_consumer_key", oauthConsumerKey],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_nonce", oauthNonce],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_signature_method", oauthSignatureMethod],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_timestamp", oauthtimestamp],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_version", oauthVersion],
[NSString stringWithFormat:@"%@%%3D%@", @"request", [requestString stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding]],
nil];
params = [params sortedArrayUsingSelector:@selector(compare:)];
NSString *parameters = [params componentsJoinedByString:@"%26"];
NSString *postURL = @"<my post url>";
NSArray * baseComponents = [NSArray arrayWithObjects:
@"POST",
[self encodeString:postURL],
parameters,
nil];
NSString * baseString = [baseComponents componentsJoinedByString:@"&"];
NSArray *signingKeyComponents = [NSArray arrayWithObjects:oauthConsumerSecret, @"", nil];
NSString *signingKey = [signingKeyComponents componentsJoinedByString:@"&"];
NSData *signingKeyData = [signingKey dataUsingEncoding:NSUTF8StringEncoding];
NSData *baseData = [baseString dataUsingEncoding:NSUTF8StringEncoding];
uint8_t digest[20] = {0};
CCHmac(kCCHmacAlgSHA1, signingKeyData.bytes, signingKeyData.length, baseData.bytes, baseData.length, digest);
NSData *signatureData = [NSData dataWithBytes:digest length:20];
NSString *oauthSignature = [self base64forData:signatureData];
// final request build
NSString *oauthHeader = @"OAuth ";
oauthHeader = [oauthHeader stringByAppendingFormat:@"oauth_consumer_key=\"%@\"",oauthConsumerKey];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_nonce=\"%@\"",oauthNonce];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_signature=\"%@\"",[self encodeString:oauthSignature]];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_signature_method=\"%@\"",oauthSignatureMethod];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_timestamp=\"%@\"",oauthtimestamp];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_version=\"1.0\""];
return oauthHeader;
}
你是什么意思“破坏”一个关键?假设密钥是一个字符串:如何“损害”一个字符串? – Sajjon
如果您正在寻找一种在iOS应用程序中安全存储密钥(例如字符串)的方法,则应将其存储在“KeyChain”中。请参阅https://www.raywenderlich.com/92667/securing-ios-data-keychain-touch-id-1password或者可能是开源框架:https://github.com/kishikawakatsumi/KeychainAccess – Sajjon
,你应该清楚你究竟在试图抵御自己的攻击,你害怕什么类型的攻击。 – luk2302