简体繁体 English

有关在iPhone应用程序中实现Web服务器安全性的建议

[英]Advice on implementing web server security in iPhone app

原文 2013-07-19 10:07:11 8 2 iphone/ ios/ security/ oauth/ https

I have a relatively successful app in the app store that allows people to view metrics on their iDevice using a JSON file hosted on the their server. 我在应用商店中有一个相对成功的应用，该应用允许人们使用服务器上托管的JSON文件查看其iDevice上的指标。 The app has a simple settings screen in which you simply type the URL of your JSON file and the app takes care of visualising the data in the file. 该应用程序具有一个简单的设置屏幕，您可以在其中简单地键入JSON文件的URL，并且该应用程序负责可视化文件中的数据。 I use AFNetworking for this. 我为此使用AFNetworking。 For example the URL might be: http://www.mylargecompany.com/factorykpi.json 例如，URL可能是： http : //www.mylargecompany.com/factorykpi.json

Customers are now coming back to me and asking for the ability to connect to their servers more securely. 客户现在又回来找我，要求能够更安全地连接到他们的服务器。 Problem is there is a myriad of ways you can secure your server. 问题在于，有无数种方法可以保护服务器安全。

I need some advice. 我需要一些建议。 What kind of standard security features would I need to build into my app. 我需要在我的应用程序中内置什么样的标准安全功能。 I am confused by OAuth, HTTPS, etc. 我对OAuth，HTTPS等感到困惑。

I believe OAuth would mean the customers server would have to use it? 我相信OAuth意味着客户服务器必须使用它吗？ Can you make a generic OAuth login screen in an app or do you need to know which web server you are connecting to authenticate. 您可以在应用中制作通用的OAuth登录屏幕，还是需要知道要连接到哪个Web服务器进行身份验证。

Any advice on even the most basic of security measure would be very welcome! 任何关于最基本安全措施的建议都将受到欢迎！

Regards, MonkeyBusiness 此致MonkeyBusiness

2 个解决方案

Security is really a very broad topic. 安全确实是一个非常广泛的话题。 There is no short answer. 没有简短的答案。 In any case, both web service and client app need to implement security mechanisms. 无论如何，Web服务和客户端应用程序都需要实现安全性机制。 I would recommend, you provide both the web service and client app. 我建议您同时提供Web服务和客户端应用程序。

You likely need some user login with a password, "server verifies user identity" and "client verifies server identity" using certificates. 您可能需要使用密码登录一些用户，使用证书“服务器验证用户身份”和“客户端验证服务器身份”。 Then you utilize HTTPS which ensures to transport confident data in a secure way. 然后，您将利用HTTPS来确保以安全的方式传输机密数据。 The web service should be implemented with one of the well known web application frameworks since security is a scary business, and tricky. Web服务应使用一种众所周知的Web应用程序框架来实现，因为安全性是一项令人毛骨悚然的事情，而且很棘手。 Implementing everything yourself, might end in a suboptimal insecure application. 自己实施所有操作，可能会以不理想的不安全应用程序结尾。

You should now read more about the complex topic and come back when you have specific questions. 现在，您应该阅读有关复杂主题的更多信息，并在遇到特定问题时返回。

... most basic would be to use https, which would secure the transaction, but anybody accessing the same link would be able to access the same data. ...最基本的方法是使用https，这将确保交易的安全，但是访问同一链接的任何人都可以访问相同的数据。 Thus you will need some kind of authentication, starting with a simple secret key passed as POST request, username and password and/or via certificates. 因此，您将需要某种身份验证，从作为POST请求，用户名和密码和/或通过证书传递的简单密钥开始。