我要使用OAuth从谷歌获取邮件和联系人。我不想每次都要求用户登录到获得accesstoken和秘密。从我的理解，我需要把它们存放与我无论是在数据库或共享preferences应用....但我有点担心安全方面的问题与....我读了你可以加密和解密令牌，但很容易让攻击者只是反编译你的apk文件和类，并获得加密密钥......做什么来安全地存储这些令牌的Andr​​oid？最好的方法

i am going to use oauth to fetch mails and contacts from google. I don't want to each time ask the user to log in to obtain an accesstoken and secret. From what i understood, i need to store them with my application either in a database or sharedpreferences.... but i am a bit worried about security aspects with that.... i read that you can encrypt and decrypt the tokens but it is easy for an attacker to just decompile your apk and classes and get the encryption key... do what's the best method to securely store these tokens in android?

推荐答案

并将其作为共享preferences。这些都是默认为私有，和其他应用程序不能访问它们。在一个扎根的设备，如果用户明确允许访问某些应用程序，试图阅读，应用程序可能能够使用它们，但你不能反对保护。至于加密，你要么需要用户每次（从而击败缓存证书的目的）进入解密密码，或保存到一个文件，你会得到同样的问题。

Store them as shared preferences. Those are by default private, and other apps cannot access them. On a rooted devices, if the user explicitly allows access to some app that is trying to read them, the app might be able to use them, but you cannot protect against that. As for encryption, you have to either require the user to enter the decrypt passphrase every time (thus defeating the purpose of caching credentials), or save the key to a file, and you get the same problem.

有存储的实际用户名密码令牌，而不是几个好处：

There are a few benefits of storing tokens instead of the actual username password: