Back to Details

security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security & Data Integrity (Architect Level)

安全与数据完整性(架构师级别)

  • AES-256-GCM: Use Authenticated Encryption for all sensitive storage.
  • Secret Storage: Mandatory use of 
    flutter_secure_storage
    for encryption keys and master-derived keys.
  • Key Derivation: Mandate NIST-approved hashing (Argon2id) for master password derivation before local storage encryption and export.
  • Memory Safety: Strictly clear sensitive variables (passwords, keys) from memory when the operation finishes or the app enters the background.
  • Clipboard Safety: Mandate programmatic clearing of sensitive data (OTPs, Passwords) after a short duration (30-60s).
  • Biometric Gate: Mandatory local authentication for any view, export, or destructive action.
  • Audit Log: All security-sensitive actions should be logged via 
    AppLogger
    (excluding raw secrets).
  • AES-256-GCM:所有敏感存储均使用认证加密机制。
  • 机密存储:加密密钥和主派生密钥必须使用
    flutter_secure_storage
    存储。
  • 密钥派生:在本地存储加密和导出前,主密码派生必须采用NIST认证的哈希算法(Argon2id)。
  • 内存安全:操作完成或应用进入后台时,必须彻底清除内存中的敏感变量(密码、密钥)。
  • 剪贴板安全:敏感数据(一次性密码、密码)必须在短时间(30-60秒)后通过程序自动清除。
  • 生物识别门禁:任何查看、导出或破坏性操作都必须经过本地身份验证。
  • 审计日志:所有安全敏感操作都必须通过
    AppLogger
    记录(不包含原始机密信息)。

Input & API Security

输入与API安全

  • Input Validation: Validate and sanitize all user-facing input fields before processing or storage.
  • HTTPS Only: All API communication MUST use HTTPS. Consider certificate pinning for sensitive applications.
  • Token Storage: STRICTLY prohibit storing tokens, API keys, or credentials in source code or public repositories. Use 
    flutter_secure_storage
    or environment-based injection.
  • 输入校验:所有面向用户的输入字段在处理或存储前都必须经过校验和清理。
  • 仅HTTPS:所有API通信必须使用HTTPS。敏感应用可考虑证书绑定。
  • 令牌存储:严格禁止在源代码或公共仓库中存储令牌、API密钥或凭证。请使用
    flutter_secure_storage
    或基于环境变量的注入方式。