了解使用 EAS 时如何处理凭证和其他敏感数据。
在输入外部凭据或向第三方软件提供其他敏感数据之前,你应该问自己是否相信该软件会负责任地使用它并保护它。由于构建应用二进制文件以在应用商店上分发的性质,Expo 独立应用构建服务需要具有不同敏感度的各种信息。本文档解释了它们是什么、我们如何存储它们以及如果它们被泄露可能会出现什么问题。
¥Before you enter outside credentials or provide other sensitive data to third-party software you should ask yourself whether you trust the software to use it responsibly and protect it. Due to the nature of what goes into building an app binary for distribution on app stores, the Expo standalone app build service requires various pieces of information with varying degrees of sensitivity. This document explains what those are, how we store them, and what could go wrong if they were to be compromised.
Expo 服务器存储的大多数数据(凭证或其他)都由我们的云提供商 Google Cloud 静态加密。凭证还使用 KMS 进行加密。仅当我们在独立应用构建器或推送通知服务的内存中需要凭证时,凭证才会被加密。在我们的数据库、消息队列和系统的其他不太短暂的部分中,凭证始终是加密的。
¥Most data stored by Expo servers (credentials or otherwise) is encrypted at rest by our cloud provider, Google Cloud. Credentials are additionally encrypted using KMS. Credentials are only unencrypted for as long as we need them in memory in the standalone app builders or push notification services. Credentials are always encrypted in our databases, message queues, and other less transient parts of the system.
与下面解释的信息相关的所有数据都可以从 Expo 服务器下载和删除(如果它首先存储在那里),并且其中一些数据可以通过其他位置(例如 Apple 开发者门户)获得。
¥All of the data related to the information explained below can be downloaded and removed from Expo servers (if it is stored there at all in the first place), and some of it may be available through other locations such as the Apple Developer Portal.
¥Android Push Notification credentials
Android 使用 Firebase 云消息传递 (FCM) 来推送通知。如果你使用 Expo 构建独立应用,我们会为你存储你的 FCM 服务器密钥。
¥Android uses Firebase Cloud Messaging (FCM) for push notifications. If you build a standalone app with Expo we store your FCM server key for you.
¥Consequences if compromised
每个 FCM 服务器密钥都可以向与该密钥所属的 Firebase 项目关联的任何 Android 应用发送推送通知。恶意行为者需要访问 FCM 服务器密钥和设备令牌才能发送通知。
¥Each FCM server key can send push notifications to any of the Android apps associated with the Firebase project to which the key belongs. A malicious actor would need to have access to the FCM server key and device tokens to send a notification.
你可以通过 Firebase 控制台创建和删除服务器密钥。当你删除某个键时,使用该键的通知将停止工作。当你创建新通知并将其上传到 Expo 时,通知将恢复工作。
¥You can create and delete server keys through the Firebase console. When you delete a key, notifications using that key will stop working. When you create a new one and upload it to Expo, notifications will resume working.
¥Consequences if lost
没有任何。你可以通过 Firebase 控制台访问它。
¥None. You can access it through the Firebase console.
¥Android build credentials
需要密钥库和密钥库密码才能对版本进行签名以发布到 Play 商店。这些均使用 KMS 加密,并且处于静态状态。应用首次提交到 Google Play 商店后,必须使用相同的密钥库再次对应用进行签名以进行更新。它证明 APK 来自拥有密钥库的开发者。仅凭密钥库并不能让你提交到 Google Play - 你的 Google 账户还需要访问 Google Play Console。
¥A keystore and keystore password are required to sign a build for release to the Play Store. These are encrypted with KMS and additionally at rest. After an app is first submitted to the Google Play Store, the same keystore must be used to sign the app again to update it. It proves that the APK came from the developer who owns the keystore. The keystore alone doesn't let you submit to Google Play — your Google account needs access to the Google Play Console as well.
¥Consequences if compromised
如果你的 Google Play 开发者账户是安全的,恶意行为者将无法使用你的密钥库和密钥库密码更新你的应用。你无法更改你的密钥库。
¥Provided that your Google Play Developer account is secure, a malicious actor will not be able to update your app with your keystore and keystore password. You cannot change your keystore.
¥Consequences if lost
你将无法在 Google Play 上更新你的应用。你可能需要在你选择的安全位置或使用应用签名功能在 Google Play 中下载并备份密钥库和密钥库密码。
¥You will not be able to update your app on Google Play. You may want to download and backup the keystore and keystore password in a secure location of your choosing or in Google Play with the App Signing feature.
¥Google Developer credentials
Expo 工具绝不会要求你提供 Google 账户凭据。
¥Expo tools never ask you to provide your Google account credentials.
¥Android submit credentials
¥Google Service Account Key
Google 服务账户密钥是使用 EAS Submit 将 Android 应用提交到 Google Play Store 的身份验证方法。此密钥存储在 Expo 服务器上,并在静止时使用 KMS 加密。密钥将保留在 Expo 服务器上,以便在后续提交中重复使用,并且具有必要权限的用户可以随时将其删除。
¥Google Service Account Key is the authentication method used to submit an Android app to the Google Play Store with EAS Submit. This key is stored on Expo servers and encrypted using KMS when at rest. The key will remain on Expo servers to be re-used for subsequent submissions, and it can be removed at any time by a user with the requisite permissions.
¥Consequences if compromised
如果恶意行为者以某种方式获得你的 Google 服务账户密钥的访问权限,他们将能够代表你在 Google Play 控制台中执行操作。他们可以执行的操作将仅限于授予服务账户密钥的权限。
¥If a malicious actor somehow gains access to your Google Service Account Key, they would be able to perform actions in the Google Play Console on your behalf. The actions they could perform would be limited to the permissions granted to the service account key.
如果攻击者还获得了对你的上传密钥库的访问权限,他们将能够提交现有应用的新版本。参与者将无法以你的名义向 Google Play 商店提交新应用,因为第一次 Google Play 提交需要通过 Web 控制台完成。
¥If the attacker has additionally gained access to your upload keystore, they would be able to submit a new version of an existing app. The actor would not be able to submit a new app to the Google Play Store in your name, as the first Google Play submission needs to be done through the web console.
¥Consequences if lost
没有任何。如果你丢失了 Google 服务账户密钥,可以使用 Google Cloud Console 将其撤销并创建一个新的。
¥None. If you lose the Google Service Account Key, you can revoke it using the Google Cloud Console and create a new one.
¥iOS Push Notification credentials
iOS 推送通知凭据有两种类型:Apple 推荐的一种现代方法和传统方法。默认行为是使用现代方法,但开发者可以通过提供 p12 证书来选择使用旧方法。
¥There are two types of iOS push notification credentials: one modern approach recommended by Apple and the legacy approach. The default behavior is to use the modern approach, but developers may opt-in to the legacy approach by providing a p12 certificate.
¥APNs auth key (p8) + key ID (string)
每个开发者账户最多有两个身份验证密钥,每个身份验证密钥都可以向账户上的任何应用发送通知。
¥Each developer account has up to two auth keys, each of which can send notifications to any app on the account.
授权密钥可从 Apple 开发者中心撤销。如果你撤销它们,通知将停止工作。如果你提供新的身份验证密钥并将其上传到 Expo,则通知将恢复工作。当授权密钥被撤销时,设备令牌不会失效。
¥Auth keys are revocable from the Apple Developer Center. If you revoke them, notifications will stop working. If you provision a new auth key and upload it to Expo then notifications will resume working. Device tokens are not invalidated when auth keys are revoked.
¥Consequences if compromised
如果恶意行为者以某种方式获得凭据的访问权限,他们将能够向你的应用发送推送通知。但是,他们需要知道将其发送到哪个设备令牌。
¥If a malicious actor were to somehow gain access to the credentials, they would be able to send push notifications to your app. However, they would need to know which device tokens to send them to.
¥Consequences if lost
Apple 开发者控制台仅允许你在创建 APNs 身份验证密钥时下载该密钥。如果 Auth Key 丢失,可以通过 Apple Developer 控制台撤销它并用新密钥替换。
¥The Apple Developer console lets you download an APNs Auth Key only when it is created. If an Auth Key is lost, it can be revoked through the Apple Developer console and replaced with a new key.
¥iOS build credentials
这是指生产分发证书和密码(如果你让 Expo 为你管理它们,则会自动生成)和配置文件(不是秘密的)。与 Expo 存储的大多数凭证数据一样,这些数据均使用 KMS 加密。你的构建凭据可让你构建一个应用并上传到 App Store Connect。不过,要实际上传并提交审核,你需要拥有 Apple 开发者账户凭据。
¥This refers to the production distribution certificate and password (which are automatically generated if you let Expo manage them for you) and provisioning profiles (which are not secret). Like most credential data stored by Expo these are all encrypted with KMS. Your build credentials let you build an app to upload to App Store Connect. To actually upload it and submit it for review, though, you need to have your Apple Developer account credentials.
¥Consequences if compromised
恶意行为者仅凭此无法做太多事情 - 如果没有你的 Apple 开发者账户凭据,他们将无法提交任何应用。你可以从 Apple Developer 网站撤销分发证书和配置文件。
¥There isn't much that a malicious actor could do with this alone — they would be unable to submit any apps without having your Apple Developer account credentials. You can revoke the distribution certificate and provisioning profile from the Apple Developer website.
¥Consequences if lost
没有任何。它们可以通过 Apple 开发者控制台获得。
¥None. They are available through the Apple Developer console.
¥Apple Developer account credentials
创建独立应用版本或上传到 App Store 时,系统将提示你输入 Apple 开发者账户凭据。我们不会将这些存储在我们的服务器上 - EAS CLI 仅在本地使用它们。你的计算机单独提供发送到 Expo 服务器的分发证书和身份验证密钥;你的开发者凭据不会发送到 Expo 服务器。Apple 强制实现了额外的安全层,因为它们要求所有 Apple 开发者账户进行双重身份验证。
¥When creating a standalone app build, or uploading to the App Store you will be prompted for your Apple Developer account credentials. We do not store these on our servers — EAS CLI only uses them locally. Your computer alone provisions distribution certificates and auth keys that are sent to Expo servers; your developer credentials are not sent to Expo servers. An additional layer of security is enforced by Apple, as they require two-factor authentication for all Apple Developer accounts.
创建临时构建时,我们会临时存储一个 Apple Developer 会话令牌,用于使用你的开发设备的 UDID 创建临时配置文件。一旦我们使用完这个会话令牌,我们就会销毁它。
¥When creating ad-hoc builds, we temporarily store an Apple Developer session token used to create an ad-hoc provisioning profile with your development device's UDID. Once we are done using this session token we destroy it.
¥Keychain
默认情况下,你的 Apple ID 凭据存储在 macOS 密钥串中。你的密码仅存储在你的本地计算机上。此功能不适用于 Windows 或 Linux 用户。
¥By default, your Apple ID credentials are stored in the macOS Keychain. Your password is only ever stored locally on your computer. This feature is not available for Windows or Linux users.
使用环境变量 EXPO_NO_KEYCHAIN=1
禁用密钥串支持。你还可以使用它来更改保存的密码。
¥Disable Keychain support with the environment variable EXPO_NO_KEYCHAIN=1
. You can also use this to change the saved password.
¥Changing Apple ID password in Keychain
要删除本地存储的密码,请打开 "密钥串访问" 应用,切换到 "所有项目",然后搜索“deliver.txt”。[你的 Apple ID]”(例如:deliver.bacon@expo.dev
)。选择你要修改的项目并将其删除。下次运行 Expo 命令时,系统将提示你输入新密码。
¥To delete the locally stored password, open the "Keychain Access" app, switch to "All Items", and search for "deliver. [Your Apple ID]" (example: deliver.bacon@expo.dev
). Select the item you wish to modify and delete it. Next time running an Expo command you'll be prompted for a new password.
¥Consequences if compromised
对于独立构建,如上所述,你的计算机需要受到损害,恶意行为者才能访问你的用户名和密码。他们还需要访问你的双重身份验证代码生成器,对于 Apple 开发者账户来说,该生成器是预先授权的 Apple 设备。此时,你可能会遇到更严重的问题,但正如你所期望的那样,攻击者将能够使用你的 Apple 开发者账户做任何他们喜欢做的事情。
¥For standalone builds, as explained above, your machine would need to be compromised for a malicious actor to have access to your username and password. They would also need to have access to your two-factor authentication code generator, which for Apple Developer accounts is a pre-authorized Apple device. At this point, you may have worse problems, but as you may expect, the actor would be able to do whatever they like with your Apple Developer account.
对于临时构建,如果用户要访问你的会话令牌,则相当于登录你的账户。
¥For ad-hoc builds, if a user were to gain access to your session token it would be comparable to being signed in to your account.
¥Consequences if lost
没有任何。它们可以通过 Apple 开发者控制台获得。
¥None. They are available through the Apple Developer console.
¥iOS submit credentials
¥Apple App Store Connect (ASC) API key
Apple App Store Connect (ASC) API 密钥是可用于使用 EAS Submit 服务将 iOS 应用提交到 Apple 的 App Store 的身份验证方法之一。此密钥存储在 Expo 服务器上,并在静止时使用 KMS 加密。密钥将保留在 Expo 服务器上,以便在后续提交中重复使用,并且具有必要权限的用户可以随时将其删除。
¥Apple App Store Connect (ASC) API key is one of the authentication methods that can be used to submit an iOS app to Apple's App Store using the EAS Submit service. This key is stored on the Expo servers and encrypted using KMS when at rest. The key will remain on Expo servers to be re-used for subsequent submissions, and it can be removed at any time by a user with the requisite permissions.
ASC API 密钥是使用 EAS Submit 将你的应用提交到 App Store 的默认和推荐身份验证方法。
¥The ASC API key is the default and recommended authentication method for submitting your apps to the App Store using EAS Submit.
¥Consequences if compromised
如果恶意行为者以某种方式获得 ASC API 密钥的访问权限,他们将能够代表你在 App Store Connect 中执行操作。他们可以执行的操作将仅限于授予 API 密钥的权限。
¥If a malicious actor somehow gains access to the ASC API key, they would be able to perform actions in the App Store Connect on your behalf. The actions they could perform would be limited to the permissions granted to the API key.
如果攻击者还获得了对你的构建凭据的访问权限,他们将能够提交现有应用的新版本。他们只能提交使用这些构建凭据签名的应用,不能以你的名义向 App Store 提交任何任意应用。
¥If the attacker has additionally gained access to your build credentials, they would be able to submit a new version of an existing app. They would only be able to submit the app signed with those build credentials, and they can't submit any arbitrary app to the App Store in your name.
¥Consequences if lost
没有任何。如果你丢失了 ASC API 密钥,可以使用 App Store Connect 门户将其撤销并创建一个新的。
¥None. If you lose the ASC API key, you can revoke it using the App Store Connect portal and create a new one.
¥Apple app-specific password
Apple 应用专用密码是另一种可用于使用 EAS Submit 将 iOS 应用提交到 Apple 的 App Store 的身份验证方法。与其他凭据不同,应用专用密码不会在提交之间存储在 Expo 服务器中,每次使用时都必须提供。
¥Apple app-specific password is another authentication method that can be used to submit an iOS app to Apple's App Store using the EAS Submit. Unlike other credentials, the app-specific password is not stored in the Expo servers between submissions, it must be provided each time it is to be used.
密码使用 KMS 加密,仅存储将应用提交到 App Store 所需的时间加上 24 小时,以允许在此期间重试。此期限结束后,密码将从 Expo 服务器中删除。
¥The password is encrypted using KMS and stored only for the period required to submit the app to the App Store plus 24 hours, to allow for retries during that time. Once this period is over, the password is deleted from the Expo servers.
不建议使用此身份验证方法。我们建议使用 Apple Store Connect (ASC) API 密钥将你的应用提交到 App Store。除了将你的应用提交到 App Store 之外,Expo 不会以任何方式使用 Apple 应用专用密码。
¥This authentication method is not recommended. We recommend using the Apple Store Connect (ASC) API key for submitting your apps to the App Store instead. Expo won't use the Apple app-specific password in any way other than to submit your app to the App Store.
¥Consequences if compromised
如果恶意行为者以某种方式获得应用特定密码的访问权限,他们将能够访问你存储在 iCloud 中的邮件、联系人和日历等信息(查看 苹果的文档 了解更多详情)。
¥If a malicious actor somehow gains access to the app-specific password, they would be able to access information like mail, contacts, and calendars that you store in iCloud (check Apple's documentation for more details).
如果攻击者还获得了对你的构建凭据的访问权限,他们将能够提交现有应用的新版本。他们只能提交使用这些构建凭据签名的应用,不能以你的名义向 App Store 提交任何任意应用。
¥If the attacker has additionally gained access to your build credentials, they would be able to submit a new version of an existing app. They would only be able to submit the app signed with those build credentials, and they can't submit any arbitrary app to the App Store in your name.
¥Consequences if lost
没有任何。如果你丢失了应用专用密码,则可以在 Apple 账户设置中将其撤销并创建一个新的。
¥None. If you lose the app-specific password, you can revoke it and create a new one in the Apple account settings.
¥Device tokens for Android and iOS push notifications
除了特定于平台的凭据之外,还需要设备令牌才能发送推送通知。Expo 为你管理此操作,并通过 Expo Push Token 在其之上提供抽象。设备令牌标识接收者,即通知发送到的设备。设备令牌静态加密,并由 Android 和 iOS 定期自动循环。
¥On top of the platform-specific credentials, a device token is necessary to send a push notification. Expo manages this for you and provides an abstraction on top of it with the Expo Push Token. The device token identifies the recipient, that is, the device to whom the notification is being sent. The device tokens are encrypted at rest and periodically cycled automatically by Android and iOS.
¥Consequences if compromised
如果恶意行为者有权访问设备令牌,他们将无法使用它们执行任何操作,除非他们还拥有适当平台的推送通知凭据。
¥If a malicious actor has access to the device tokens, they will be unable to do anything with them unless they also have the push notification credentials for the appropriate platform.
¥Consequences if lost
在用户再次打开你的应用之前,你将无法向他们发送通知。
¥You won't be able to send notifications to users until they open your app again.
¥Need more control?
如果上述信息不能满足你的安全要求,你可能希望运行独立应用版本 在你的基础设施上。请注意,你仍然需要提供推送通知凭据才能使用推送通知服务。如果这也是不可能的,我们建议你自行处理推送通知。
¥If the above information doesn't satisfy your security requirements, you may wish to run your standalone app builds on your infrastructure. Note that you will still need to provide your push notification credentials to use the push notification service. If that is also impossible, we recommend handling push notifications on your own.