保护REST API以供Android客户端使用
[英]secure a REST API for use by Android clients
问题描述
We're developing a JSON REST API in Rails to be consumed by an Android application, which we are also developing. 
我们正在开发一个Rails中的JSON REST API,供我们开发的Android应用程序使用。 Is there any way to secure the API such that it can only be used by our specific Android application? 有没有办法保护API,使其只能由我们的特定Android应用程序使用?
The API is read-only, and does not involve any kind of user-related or otherwise sensitive information. API是只读的,不涉及任何类型的用户相关或其他敏感信息。 But to the extent that is reasonable we'd like to prevent abuse and restrict its use to only our app. 但在合理的范围内,我们希望防止滥用并将其限制仅限于我们的应用。
I could easily add an authentication token to the API and distribute it with the app, but: 我可以轻松地向API添加身份验证令牌并将其与应用程序一起分发,但是:
- We'd probably have to move the API over to SSL, if we use BASIC auth. 如果我们使用BASIC auth,我们可能不得不将API移到SSL。
- It's probably trivial for a determined person to open up the Android APK binary and uncover the auth token anyway. 对于一个坚定的人打开Android APK二进制文件并且无论如何都要发现身份验证令牌,这可能是微不足道的。
The situation seems analogous to a café posting their WiFi password on the shop counter- you have to give the secret out to everyone who wants to use your service, so it almost seems pointless to have it in the first place. 这种情况看起来类似于咖啡馆在商店柜台上发布他们的WiFi密码 - 你必须把秘密告诉所有想要使用你服务的人,所以一开始就把它放在一边似乎毫无意义。
What's the most reasonable approach to take? 什么是最合理的方法?
1 个解决方案
解决方案1
6 已采纳 2013-03-07 14:33:43
Wanting to secure a probably public undocumented API so it can only be accessed by one application, means you want to stop people from using your API who are determinate of using your API. 想要保护一个可能公开的未公开的API,以便它只能被一个应用程序访问,这意味着您希望阻止人们使用您决定使用API的API。
Meaning people who would try everything possible to use your API. 意味着会尽一切可能使用您的API的人。
If this is not the case adding a Auth token won't be trivial but at least a big stepping stone for people who stumble upon your API. 如果不是这种情况,添加一个Auth令牌将不会是微不足道的,但对于偶然发现你的API的人来说至少是一个很大的垫脚石。 And not a very bad idea to implement this. 实现这一点并不是一个非常糟糕的主意。
Because this authentication isn't user based but application based and you don't want authentication to rely on user input. 因为此身份验证不是基于用户的,而是基于应用程序的,并且您不希望身份验证依赖于用户输入。 The request must be purely done so by the application. 该请求必须由应用程序完全完成。
Meaning you will have to do so anyway(adding hardcoded token). 这意味着你必须这样做(添加硬编码令牌)。 Only you make it very very difficult for a determined person to uncover the access and request tokens and the methods. 只有你让一个坚定的人发现访问权限并请求令牌和方法非常困难。
It depends on the situation, but I would go for the SSL and hardcoded token. 这取决于具体情况,但我会选择SSL和硬编码令牌。
Some extra security: 一些额外的安全:
- Release an access token to the application which only need to send a request token periodically. 向应用程序释放访问令牌,只需要定期发送请求令牌。 Meaning less chance people intercept the hardcoded request token, but a session based access token which expires. 意味着人们更少机会拦截硬编码的请求令牌,但是基于会话的访问令牌会过期。 Maybe just do this once for every application install. 也许只为每个应用程序安装执行此操作。
- Encode this request token before sending it through the air. 在通过空中发送之前对此请求令牌进行编码。 Meaning people have to decompile your app. 意味着人们必须反编译你的应用程序。
- Obfuscate code (make it more difficult to decompile). 混淆代码(使反编译更加困难)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.