这个问题是关于试图了解参与在移动平台Android这样的实施OAuth的安全隐患。这里假设的是，我们有一个Android应用程序，有消费者键/密嵌在code。

This question is about trying to understand the security risks involved in implementing oauth on a mobile platform like Android. Assumption here is that we have an Android application that has the consumer key/secret embedded in the code.

假设消费者的秘密已经泄露，而且黑客已经得到了着了，这有什么后果？

Assuming a consumer secret has been compromised, and a hacker has gotten a hold of it, what are the consequences of this ?

被危及消费者揭秘假设 我是正确的，指出折衷方密钥因为这样对用户的安全，或存放在该用户用交互的OAuth的启用提供商任何数据没有影响。数据本身没有受到损害，并且不能被黑客检索。

Compromised Consumer Secret assumptions Am I correct in stating that a compromised consumer secret as such has no effect on the user's security, or any data stored at the OAuth enabled provider that the user was interacting with. The data itself is not compromised and cannot be retrieved by the hacker.

黑客就需要获得一个持有有效用户的访问令牌，这是一个很大很难得到。

The hacker would need to get a hold of a valid user access token, and that's a lot harder to get.

还有什么比黑客做一个妥协的消费者的秘密？ 难道我还载明下列正确的：

What could a hacker do with a compromised consumer secret ? Am I also correct in stating the following :

黑客可以设置/发布的 应用程序模仿我的应用程序。 黑客可以吸引用户，将去 通过OAuth的流量，获取了 通过黑客访问令牌的OAuth 舞蹈（使用损害消费者 关键/机密）。 的用户可能会认为 他对付我的应用程序，因为他将 看到一个熟悉的名字（消费者键） 在授权过程。 当消费者通过发出请求 黑客，黑客可以很容易地 拦截访问令牌，和 结合消费者天机 立即注册以我的名义请求 获得我的资源。 The hacker can setup/publish an application that imitates my app. The hacker can attract users that will go through the OAuth flow, retrieving an access token via the hackers OAuth dance (using the compromised consumer key/secret). The user might think he's dealing with my app, as he will see a familiar name (consumer key) during the authorization process. When a consumer issues a request via the hacker, the hacker can easily intercept the access token, and combined with the consumer secret can now sign requests on my behalf to gain access to my resources.

最终用户的影响 在假设

在一个黑客安装一个应用程序/ 网站使用我的消费者的秘密 在我的用户是被骗到授权 访问该应用程序/网站 a hacker has setup an application / site using my consumer secret one of my users was tricked into authorizing access to that application / site

以下可能会发生：

最终用户可能是察觉到有点不对劲是怎么回事，并通知服务提供商（例如：谷歌）关于恶意应用程序 服务提供商就可以撤销消费者键/秘密

OAuth使用（我的应用程序）的影响： 我的应用程序（包含消费秘密）将需要更新，否则我所有的客户将无法批准我的申请做代表他们的要求了（我的消费者的秘密将不再是有效的）。

OAuth consumer (my application) impact : My app (containing the consumer secret) would need to be updated, as otherwise all my clients would not be able to authorize my application do to requests on their behalf anymore (as my consumer secret would no longer be valid).

委派所有的OAuth交通 虽然有可能通过一个中间的网络服务器委派了很多OAuth的相互作用（做OAuth的舞蹈和发送的访问令牌的用户），一会要代理所有的服务交互也为消费者键/保密要求签署每个请求。这是为了让消费者键/秘密外的移动应用程序的唯一途径，并存储在一个更安全的地方在中间Web服务器？

Delegating all OAuth traffic Although it would be possible to delegate a lot of the OAuth interactions via an intermediate webserver (doing the OAuth dance and sending the access token to the user), one would have to proxy all service interactions also, as the consumer key/secret is required for signing each request. Is this the only way to keep the consumer key/secret outside of the mobile app, and stored in a more secure place on the intermediate webserver ?

替代 是否有这个代理-ING的选择吗？是否可以存储用户的秘密在中间的网络服务器，并有某种机制使Android应用（发表在市场和正确签署），可以做一个安全性的要求，以中间Web服务器，以获取消费者的秘密，并将其存储在内部应用程序？可一个机制来实现的中间Web服务器知道，这是一个官方的Andr​​oid应用程序，请求获取消费者的秘密，那中间的网络服务器只会讲义消费者秘密特定的Andr​​oid应用程序？

Alternatives Are there alternatives for this proxy-ing ? Is it possible to store the consumer secret at the intermediate webserver, and have some kind of mechanism that the Android application (published in the market and properly signed), can do a secure request to the intermediate webserver to fetch the consumer secret and store it internally in the app ? Can a mechanism be implemented that the intermediate webserver "knows" that this is an official android app that is requesting to fetch the consumer secret, and that the intermediate webserver will only handout the consumer secret to that particular android app ?

推荐答案

摘要：我只是冒险和保守秘密的客户端应用程序

Summary: I would just take the risk and keep the secret in the client app.

代理服务器替代

您可以合理减轻我下面列出的问题，使代理 - 荷兰国际集团的唯一途径，是去整个九码 - 将所有的业务逻辑与资源上的第三方Web服务打交道代理服务器，并具有丰富的用户界面的客户端应用程序哑终端。这样一来，仅操作该恶意应用程序就能够使代理执行代表其将是唯一的什么业务逻辑合法需求。

The only way you can reasonable mitigate the problems I list below and make the proxy-ing work, would be to go the whole nine yards - move all the business logic for dealing with the resources on the third party webservice to your proxy server, and make the client app dumb terminal with rich UI. This way, the only actions the malicious app would be able to make the proxy perform on its behalf would be only what your business logic legitimately needs.

但现在你在不必处理的可靠性和可扩展性等问题，整体转换的境界得到。

But now you get in the realm of a whole slew of other problems having to deal with reliability and scalability.

长期酝酿，为什么简单的代理将无法正常工作

有些人，当与面对   问题，认为我知道，我会加入我的   自己的代理服务器现在他们有两个   问题。 （与道歉杰米   Zawinski撰写）

Some people, when confronted with a problem, think "I know, I'll add my own proxy server" Now they have two problems. (with apologies to Jamie Zawinski)

您的假设在很大程度上是正确的。一直到你开始思考自己的服务器，无论是保持秘密和代理的调用客户端应用程序，或者试图确定，如果应用程序是合法的，并给它的秘密的地步。在这两种方法，你还是要解决的问题的这一要求，从一张code我写来了？

Your assumptions are largely right. Right down to the point where you start thinking about your own server, whether it keeps the secret and proxies the calls for the client app, or it attempts to determine if the app is legitimate and give it the secret. In both approaches, you still have to solve the problem of "is this request coming from a piece of code I wrote"?

让我再说一遍 - 有没有办法区分在特定的软件运行线。如果该消息中的数据看起来正确，没有任何东西可以证明它的另一个应用程序，选送的消息

Let me repeat - there is no way to distinguish on the wire that particular piece of software is running. If the data in the messages looks right, nothing can prove it's another app that's sending that message.

在这一天结束时，如果我写一个恶意的应用程序，我不在乎，如果我真的知道真正的秘密，只要我可以让别人，知道它做代表我的作品。所以，如果你认为一个恶意的应用程序可以冒充你的应用程序，以第三方的OAuth服务器，为什么你一定不能冒充你的应用程序到你的代理？

At the end of the day, if I am writing a malicious app, I don't care if I actually know the real secret, as long as I can make somebody that knows it do a work on my behalf. So, if you think a malicious app can impersonate your app to the third party OAuth servers, why are you certain it can't impersonate your app to your proxy?

别急，还有更精彩的。在该代理服务所在的领域，是双方你的客户和供应商的OAuth（通过OAuth的提供商显示给最终用户），您的身份。如果一个恶意的应用程序可以让你的服务器上做的不好的东西，不仅是你的关键撤销，但你的公共网站的身份也不再值得信任。

But wait, there's more. The domain at which your proxy service is located, is your identity to both your clients and the OAuth provider (as shown to the end user by the OAuth provider). If a malicious app can make your server do bad stuff, not only is your key revoked, but your public web identity is also not trusted anymore.

我将开始与明显的 - 没有办法区分在那个特定的软件正在运行的丝。如果该消息中的数据看起来正确，没有任何东西可以证明它的另一个应用程序，选送的消息。

I will start with the obvious - there is no way to distinguish on the wire that particular piece of software is running. If the data in the messages looks right, nothing can prove it's another app that's sending that message.

因此​​，依赖于应用程序端存储的秘密任何算法可以被欺骗。 OAuth的的优势在于，它永远不会给用户的凭据的应用程序，而不是给它自己的应用程序，临时凭证，用户可以根据需要撤销。

Thus, any algorithm that relies on app-side stored secret can be spoofed. OAuth's strength is that it never gives the user's credentials to the app, instead giving the app temporary credentials of it's own that the user can revoke if necessary.

当然，这里的不足之处是一个足够好的应用可以获取用户信任它，而不是撤销证书，才完成了它的邪恶行为。

Of course, the weak point here is that a sufficiently good app can get the user to trust it and not revoke the credentials, before it finished its nefarious deeds.

不过，为了缓解这一方法之一是使用三方模式的OAuth的谷歌的做法，而不是标准的2条腿。在3条腿OAuth的，没有pre-分配的秘密，但在每一个验证新的访问令牌密钥发出后，伴随着每一个访问令牌。虽然最终这个患有同样的缺点，作为一个糟糕的应用程序可以读取良好的应用程序的，从它的进程令牌秘密，它确实导致用户不必在每次需要新的访问令牌的时间来批准该应用程序的访问。

However, one way to mitigate this is Google's approach of using 3-legged OAuth, instead of the standard 2-legged. In the 3-legged OAuth, there's no pre-assigned secret, but on every authentication a new access token secret is issued, along with each access token. While ultimately this suffers from the same drawback, as a bad app can read the good app's token secret from its process, it does result in the user having to approve the app access every time it needs new access token.

当然，这也意味着这是一个有点更不方便，恼人的用户。

And of course, this also means that it's a bit more inconvenient and annoying for the user.