安全
了解使用 EAS 时如何处理凭证和其他敏感数据。
在输入外部凭据或向第三方软件提供其他敏感数据之前,你应该先问自己是否相信该软件会负责任地使用并保护这些数据。由于构建用于应用商店分发的应用二进制文件的性质,Expo 独立应用构建服务需要各种不同敏感程度的信息。本文档解释了这些信息是什么,我们如何存储它们,以及如果它们被泄露可能会出现的问题。
🌐 Before you enter outside credentials or provide other sensitive data to third-party software you should ask yourself whether you trust the software to use it responsibly and protect it. Due to the nature of what goes into building an app binary for distribution on app stores, the Expo standalone app build service requires various pieces of information with varying degrees of sensitivity. This document explains what those are, how we store them, and what could go wrong if they were to be compromised.
大多数由 Expo 服务器存储的数据(无论是凭证还是其他数据)在静态状态下都由我们的云服务提供商 Google Cloud 加密。凭证还使用 KMS 进行额外加密。凭证仅在我们在独立应用构建器或推送通知服务中需要在内存中使用时才会解密。凭证在我们的数据库、消息队列以及系统中其他不那么易失的部分始终保持加密状态。
🌐 Most data stored by Expo servers (credentials or otherwise) is encrypted at rest by our cloud provider, Google Cloud. Credentials are additionally encrypted using KMS. Credentials are only unencrypted for as long as we need them in memory in the standalone app builders or push notification services. Credentials are always encrypted in our databases, message queues, and other less transient parts of the system.
与下面解释的信息相关的所有数据都可以从 Expo 服务器下载和删除(如果它首先存储在那里),并且其中一些数据可以通过其他位置(例如 Apple 开发者门户)获得。
🌐 All of the data related to the information explained below can be downloaded and removed from Expo servers (if it is stored there at all in the first place), and some of it may be available through other locations such as the Apple Developer Portal.
Android 推送通知凭据
🌐 Android Push Notification credentials
Android 使用 Firebase 云消息传递 (FCM) 来推送通知。如果你使用 Expo 构建独立应用,我们会为你存储 FCM 服务器密钥。
🌐 Android uses Firebase Cloud Messaging (FCM) for push notifications. If you build a standalone app with Expo we store your FCM server key for you.
妥协的后果
🌐 Consequences if compromised
每个 FCM 服务器密钥都可以向与该密钥所属 Firebase 项目相关联的任何 Android 应用发送推送通知。恶意行为者需要获得 FCM 服务器密钥和设备令牌才能发送通知。
🌐 Each FCM server key can send push notifications to any of the Android apps associated with the Firebase project to which the key belongs. A malicious actor would need to have access to the FCM server key and device tokens to send a notification.
你可以通过 Firebase 控制台创建和删除服务器密钥。当你删除密钥时,使用该密钥的通知将停止工作。当你创建新的密钥并将其上传到 Expo 时,通知将恢复工作。
🌐 You can create and delete server keys through the Firebase console. When you delete a key, notifications using that key will stop working. When you create a new one and upload it to Expo, notifications will resume working.
丢失后果
🌐 Consequences if lost
没有。你可以通过 Firebase 控制台访问它。
🌐 None. You can access it through the Firebase console.
Android 构建凭据
🌐 Android build credentials
要将构建版本发布到 Play 商店,需要一个密钥库和密钥库密码。这些都会使用 KMS 进行加密,并在存储时额外加密。应用首次提交到 Google Play 商店后,必须使用相同的密钥库再次签署应用以进行更新。这可以证明 APK 来自拥有该密钥库的开发者。仅有密钥库无法提交到 Google Play——你的 Google 账号还需要有访问 Google Play 控制台的权限。
🌐 A keystore and keystore password are required to sign a build for release to the Play Store. These are encrypted with KMS and additionally at rest. After an app is first submitted to the Google Play Store, the same keystore must be used to sign the app again to update it. It proves that the APK came from the developer who owns the keystore. The keystore alone doesn't let you submit to Google Play — your Google account needs access to the Google Play Console as well.
妥协的后果
🌐 Consequences if compromised
只要你的 Google Play 开发者账户是安全的,恶意行为者就无法使用你的密钥库和密钥库密码更新你的应用。你无法更改你的密钥库。
🌐 Provided that your Google Play Developer account is secure, a malicious actor will not be able to update your app with your keystore and keystore password. You cannot change your keystore.
丢失后果
🌐 Consequences if lost
你将无法在 Google Play 上更新你的应用。你可能需要将密钥库和密钥库密码下载并备份到你选择的安全位置,或者使用 Google Play 的应用签名功能进行备份。
🌐 You will not be able to update your app on Google Play. You may want to download and backup the keystore and keystore password in a secure location of your choosing or in Google Play with the App Signing feature.
谷歌开发者凭据
🌐 Google Developer credentials
Expo 工具绝不会要求你提供 Google 账户凭据。
🌐 Expo tools never ask you to provide your Google account credentials.
Android 提交凭据
🌐 Android submit credentials
Google 服务账户密钥
🌐 Google Service Account Key
Google 服务账号密钥是使用 EAS Submit 向 Google Play 商店提交 Android 应用时使用的认证方式。此密钥存储在 Expo 服务器上,并在静止状态下使用 KMS 加密。该密钥将保留在 Expo 服务器上,以便在后续提交中重复使用,并且具有相应权限的用户可以随时将其移除。
🌐 Google Service Account Key is the authentication method used to submit an Android app to the Google Play Store with EAS Submit. This key is stored on Expo servers and encrypted using KMS when at rest. The key will remain on Expo servers to be re-used for subsequent submissions, and it can be removed at any time by a user with the requisite permissions.
妥协的后果
🌐 Consequences if compromised
如果恶意行为者以某种方式获得了你的 Google 服务账户密钥,他们将能够代表你在 Google Play 控制台上执行操作。他们能够执行的操作将仅限于授予服务账户密钥的权限范围内。
🌐 If a malicious actor somehow gains access to your Google Service Account Key, they would be able to perform actions in the Google Play Console on your behalf. The actions they could perform would be limited to the permissions granted to the service account key.
如果攻击者还获得了你的上传密钥库访问权限,他们将能够提交现有应用的新版本。攻击者无法以你的名义向 Google Play 商店提交新的应用,因为第一次 Google Play 提交需要通过网页控制台完成。
🌐 If the attacker has additionally gained access to your upload keystore, they would be able to submit a new version of an existing app. The actor would not be able to submit a new app to the Google Play Store in your name, as the first Google Play submission needs to be done through the web console.
丢失后果
🌐 Consequences if lost
无。如果你丢失了 Google 服务账户密钥,可以使用 Google Cloud 控制台撤销它并创建一个新的。
🌐 None. If you lose the Google Service Account Key, you can revoke it using the Google Cloud Console and create a new one.
iOS 推送通知凭据
🌐 iOS Push Notification credentials
iOS 推送通知凭证有两种类型:一种是苹果推荐的现代方法,另一种是传统方法。默认情况下使用的是现代方法,但开发者可以通过提供 p12 证书选择使用传统方法。
🌐 There are two types of iOS push notification credentials: one modern approach recommended by Apple and the legacy approach. The default behavior is to use the modern approach, but developers may opt-in to the legacy approach by providing a p12 certificate.
APNs 身份验证密钥 (p8) + 密钥 ID(字符串)
🌐 APNs auth key (p8) + key ID (string)
每个开发者账户最多有两个身份验证密钥,每个身份验证密钥都可以向账户上的任何应用发送通知。
🌐 Each developer account has up to two auth keys, each of which can send notifications to any app on the account.
可以从 Apple 开发者中心撤销认证密钥。如果撤销它们,通知将停止工作。如果你提供一个新的认证密钥并将其上传到 Expo,通知将恢复工作。当认证密钥被撤销时,设备令牌不会失效。
🌐 Auth keys are revocable from the Apple Developer Center. If you revoke them, notifications will stop working. If you provision a new auth key and upload it to Expo then notifications will resume working. Device tokens are not invalidated when auth keys are revoked.
妥协的后果
🌐 Consequences if compromised
如果恶意行为者以某种方式获取了凭证,他们将能够向你的应用发送推送通知。然而,他们需要知道要将通知发送到哪些设备令牌。
🌐 If a malicious actor were to somehow gain access to the credentials, they would be able to send push notifications to your app. However, they would need to know which device tokens to send them to.
丢失后果
🌐 Consequences if lost
Apple 开发者控制台仅在创建 APNs 身份验证密钥时允许下载。如果身份验证密钥丢失,可以通过 Apple 开发者控制台撤销并替换为新的密钥。
🌐 The Apple Developer console lets you download an APNs Auth Key only when it is created. If an Auth Key is lost, it can be revoked through the Apple Developer console and replaced with a new key.
iOS 构建凭据
🌐 iOS build credentials
这指的是生产分发证书和密码(如果你让 Expo 为你管理,它们会自动生成),以及配置文件(这些不是秘密)。像 Expo 存储的大多数凭证数据一样,这些都使用 KMS 进行加密。你的构建凭证允许你构建应用并上传到 App Store Connect。然而,要真正上传并提交审核,你需要拥有你的 Apple 开发者账户凭证。
🌐 This refers to the production distribution certificate and password (which are automatically generated if you let Expo manage them for you) and provisioning profiles (which are not secret). Like most credential data stored by Expo these are all encrypted with KMS. Your build credentials let you build an app to upload to App Store Connect. To actually upload it and submit it for review, though, you need to have your Apple Developer account credentials.
妥协的后果
🌐 Consequences if compromised
仅凭这一点,恶意行为者几乎无能为力——他们无法在没有你的 Apple 开发者账户凭据的情况下提交任何应用。你可以在 Apple 开发者网站上撤销分发证书和配置文件。
🌐 There isn't much that a malicious actor could do with this alone — they would be unable to submit any apps without having your Apple Developer account credentials. You can revoke the distribution certificate and provisioning profile from the Apple Developer website.
丢失后果
🌐 Consequences if lost
没有。它们可以通过 Apple 开发者控制台获取。
🌐 None. They are available through the Apple Developer console.
Apple 开发者账户凭据
🌐 Apple Developer account credentials
在创建独立应用构建或上传到 App Store 时,系统会提示你输入 Apple 开发者账号凭证。我们不会在服务器上存储这些信息 — EAS CLI 仅在本地使用它们。只有你的计算机会提供分发证书和发送到 Expo 服务器的授权密钥;你的开发者凭证不会发送到 Expo 服务器。苹果还强制实行额外的安全层,因为他们要求所有 Apple 开发者账号启用双因素认证。
🌐 When creating a standalone app build, or uploading to the App Store you will be prompted for your Apple Developer account credentials. We do not store these on our servers — EAS CLI only uses them locally. Your computer alone provisions distribution certificates and auth keys that are sent to Expo servers; your developer credentials are not sent to Expo servers. An additional layer of security is enforced by Apple, as they require two-factor authentication for all Apple Developer accounts.
在创建临时构建时,我们会临时存储一个 Apple 开发者会话令牌,用于使用你开发设备的 UDID 创建临时配置文件。使用完该会话令牌后,我们会将其销毁。
🌐 When creating ad-hoc builds, we temporarily store an Apple Developer session token used to create an ad-hoc provisioning profile with your development device's UDID. Once we are done using this session token we destroy it.
密钥链
🌐 Keychain
默认情况下,你的 Apple ID 凭据会存储在 macOS 密钥串中。你的密码只会存储在本地电脑上。此功能不适用于 Windows 或 Linux 用户。
🌐 By default, your Apple ID credentials are stored in the macOS Keychain. Your password is only ever stored locally on your computer. This feature is not available for Windows or Linux users.
使用环境变量 EXPO_NO_KEYCHAIN=1 禁用密钥串支持。你也可以使用它来更改已保存的密码。
🌐 Disable Keychain support with the environment variable EXPO_NO_KEYCHAIN=1. You can also use this to change the saved password.
更改密钥串中的 Apple ID 密码
🌐 Changing Apple ID password in Keychain
要删除本地存储的密码,打开“密钥串访问”应用,切换到“所有项目”,并搜索“deliver.[你的 Apple ID]”(例如:deliver.bacon@expo.dev)。选择你希望修改的条目并删除它。下次运行 Expo 命令时,会提示输入新密码。
🌐 To delete the locally stored password, open the "Keychain Access" app, switch to "All Items", and search for "deliver. [Your Apple ID]" (example: deliver.bacon@expo.dev). Select the item you wish to modify and delete it. Next time running an Expo command you'll be prompted for a new password.
妥协的后果
🌐 Consequences if compromised
正如上文所述,对于独立构建,你的电脑必须被攻破,恶意行为者才可能访问你的用户名和密码。他们还需要访问你的双因素认证代码生成器,对于 Apple 开发者账号来说,这通常是一个已预先授权的 Apple 设备。到这个阶段,你可能已经遇到更严重的问题,但正如你所预料的那样,行为者将能够随意操作你的 Apple 开发者账号。
🌐 For standalone builds, as explained above, your machine would need to be compromised for a malicious actor to have access to your username and password. They would also need to have access to your two-factor authentication code generator, which for Apple Developer accounts is a pre-authorized Apple device. At this point, you may have worse problems, but as you may expect, the actor would be able to do whatever they like with your Apple Developer account.
对于临时构建,如果用户要访问你的会话令牌,则相当于登录你的账户。
🌐 For ad-hoc builds, if a user were to gain access to your session token it would be comparable to being signed in to your account.
丢失后果
🌐 Consequences if lost
没有。它们可以通过 Apple 开发者控制台获取。
🌐 None. They are available through the Apple Developer console.
iOS 提交凭据
🌐 iOS submit credentials
Apple App Store Connect (ASC) API 密钥
🌐 Apple App Store Connect (ASC) API key
Apple App Store Connect (ASC) API 密钥是使用 EAS Submit 服务将 iOS 应用提交到 Apple App Store 时可用的认证方法之一。该密钥存储在 Expo 服务器上,并在静止状态下使用 KMS 加密。该密钥将保留在 Expo 服务器上以便重复用于后续提交,并且具有相应权限的用户可以随时将其删除。
🌐 Apple App Store Connect (ASC) API key is one of the authentication methods that can be used to submit an iOS app to Apple's App Store using the EAS Submit service. This key is stored on the Expo servers and encrypted using KMS when at rest. The key will remain on Expo servers to be re-used for subsequent submissions, and it can be removed at any time by a user with the requisite permissions.
ASC API 密钥是使用 EAS Submit 提交应用到 App Store 的默认且推荐的身份验证方式。
🌐 The ASC API key is the default and recommended authentication method for submitting your apps to the App Store using EAS Submit.
妥协的后果
🌐 Consequences if compromised
如果恶意行为者以某种方式获取了 ASC API 密钥,他们将能够代表你在 App Store Connect 中执行操作。他们能够执行的操作将仅限于 API 密钥授予的权限范围。
🌐 If a malicious actor somehow gains access to the ASC API key, they would be able to perform actions in the App Store Connect on your behalf. The actions they could perform would be limited to the permissions granted to the API key.
如果攻击者还获取了你的构建凭据,他们将能够提交现有应用的新版本。他们只能提交使用这些构建凭据签名的应用,不能以你的名义向 App Store 提交任意应用。
🌐 If the attacker has additionally gained access to your build credentials, they would be able to submit a new version of an existing app. They would only be able to submit the app signed with those build credentials, and they can't submit any arbitrary app to the App Store in your name.
丢失后果
🌐 Consequences if lost
无。如果你丢失了 ASC API 密钥,可以通过 App Store Connect 门户撤销该密钥并创建一个新的。
🌐 None. If you lose the ASC API key, you can revoke it using the App Store Connect portal and create a new one.
Apple 应用专用密码
🌐 Apple app-specific password
苹果应用专用密码是另一种认证方法,可用于通过 EAS Submit 向苹果 App Store 提交 iOS 应用。与其他凭证不同,应用专用密码不会在每次提交之间存储在 Expo 服务器中,每次使用时都必须提供。
🌐 Apple app-specific password is another authentication method that can be used to submit an iOS app to Apple's App Store using the EAS Submit. Unlike other credentials, the app-specific password is not stored in the Expo servers between submissions, it must be provided each time it is to be used.
密码使用 KMS 加密,并仅在提交应用到 App Store 所需的时间加上 24 小时内存储,以允许在此期间进行重试。一旦此期限结束,密码将从 Expo 服务器中删除。
🌐 The password is encrypted using KMS and stored only for the period required to submit the app to the App Store plus 24 hours, to allow for retries during that time. Once this period is over, the password is deleted from the Expo servers.
这种认证方法不推荐。我们建议使用 Apple Store Connect (ASC) API 密钥来提交你的应用到 App Store。Expo 不会以任何其他方式使用 Apple 应用专用密码,除了将你的应用提交到 App Store。
🌐 This authentication method is not recommended. We recommend using the Apple Store Connect (ASC) API key for submitting your apps to the App Store instead. Expo won't use the Apple app-specific password in any way other than to submit your app to the App Store.
妥协的后果
🌐 Consequences if compromised
如果恶意行为者以某种方式获取了应用专用密码,他们将能够访问你存储在 iCloud 中的信息,如邮件、联系人和日历(更多详情请查看 苹果文档)。
🌐 If a malicious actor somehow gains access to the app-specific password, they would be able to access information like mail, contacts, and calendars that you store in iCloud (check Apple's documentation for more details).
如果攻击者还获取了你的构建凭据,他们将能够提交现有应用的新版本。他们只能提交使用这些构建凭据签名的应用,不能以你的名义向 App Store 提交任意应用。
🌐 If the attacker has additionally gained access to your build credentials, they would be able to submit a new version of an existing app. They would only be able to submit the app signed with those build credentials, and they can't submit any arbitrary app to the App Store in your name.
丢失后果
🌐 Consequences if lost
无。如果你丢失了应用专用密码,可以在 Apple 账户设置中撤销它并创建一个新的。
🌐 None. If you lose the app-specific password, you can revoke it and create a new one in the Apple account settings.
Android 和 iOS 推送通知的设备令牌
🌐 Device tokens for Android and iOS push notifications
除了特定平台的凭证之外,发送推送通知还需要设备令牌。Expo 会为你管理这一过程,并在其之上提供一个抽象,即 Expo 推送令牌。设备令牌用于识别接收者,也就是接收通知的设备。设备令牌在存储时会被加密,并由 Android 和 iOS 定期自动更换。
🌐 On top of the platform-specific credentials, a device token is necessary to send a push notification. Expo manages this for you and provides an abstraction on top of it with the Expo Push Token. The device token identifies the recipient, that is, the device to whom the notification is being sent. The device tokens are encrypted at rest and periodically cycled automatically by Android and iOS.
妥协的后果
🌐 Consequences if compromised
如果恶意行为者有权访问设备令牌,他们将无法使用它们执行任何操作,除非他们还拥有适当平台的推送通知凭据。
🌐 If a malicious actor has access to the device tokens, they will be unable to do anything with them unless they also have the push notification credentials for the appropriate platform.
丢失后果
🌐 Consequences if lost
在用户再次打开你的应用之前,你将无法向他们发送通知。
🌐 You won't be able to send notifications to users until they open your app again.
需要更多控制?
🌐 Need more control?
如果上述信息不能满足你的安全要求,你可以考虑在你的基础设施上运行独立应用的构建。请注意,使用推送通知服务仍然需要提供你的推送通知凭据。如果这也无法实现,我们建议你自行处理推送通知。
🌐 If the above information doesn't satisfy your security requirements, you may wish to run your standalone app builds on your infrastructure. Note that you will still need to provide your push notification credentials to use the push notification service. If that is also impossible, we recommend handling push notifications on your own.