[英]How can I prevent anyone from communicating with my server except my Android app
I got a rest server on Google app engine and I want only my app to to be able to make calls to my server. 我在Google应用引擎上安装了休息服务器,我只希望我的应用能够拨打我的服务器。
Is there a security option I can turn on on Google app engine that will faciliate this? 我可以在谷歌应用程序引擎上打开一个安全选项来实现这个目标吗? if not than what can I do?
如果不是我能做什么?
I know you can restrict access to some pages with the follwing but i am not sure it can be applied to REST calls 我知道您可以通过以下方式限制对某些页面的访问,但我不确定它是否可以应用于REST调用
<security-constraint>
<web-resource-collection>
<url-pattern>/cron/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Generate privatekey/publickey pair in openssl. 在openssl中生成privatekey / publickey对。 In app distribution distribute public key.
在应用程序分发中分发公钥。 Have a custom http header called appName and encrypt the appname (a unique constant unpredicatable bit large number) and send it.
有一个名为appName的自定义http标头,并加密appname(一个唯一的常量不可预测位大号)并发送它。 Ensure your code is obfuscated so that no one is able to view the appname.
确保您的代码经过混淆,以便没有人能够查看appname。 Then since you are encrypting even if someone traces the http calls, the appname will be visible as encrypted value.
然后,即使有人跟踪http调用,您也在进行加密,因此appname将显示为加密值。 At your server end decrypt the appname using private key.
在服务器端使用私钥解密appname。 Hope this helps.
希望这可以帮助。
(Three answers already, and all with different ideas then my own on this matter - so a good question I think.) (已经有三个答案,并且在这个问题上我都有不同的想法 - 所以我认为这是一个很好的问题。)
It was my understanding that the recommended/canonical way of doing this (for google) is OATH2. 我的理解是这样做(谷歌)的推荐/规范方式是OATH2。 Google has recognized that OATH2 is tricky, and one of their attempts to simply it is cloud endpoints, along with Google Play Services for Android clients.
谷歌已经认识到OATH2很棘手,他们尝试简单的就是云端点,以及针对Android客户端的Google Play服务。 The instructions for this are here:
有关这方面的说明如下:
https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls
Note that while the docs emphasize User authentication, it also supports app authentication. 请注意,虽然文档强调用户身份验证,但它也支持应用程序身份验证。
What I don't know (but would like to) is how to the same thing for a non-endpoints app, so I guess this is just a partial answer. 我不知道(但是想)是非端点应用程序如何做同样的事情,所以我想这只是一个部分答案。
Short answer is, you can't, at least not completely securely. 简短的回答是,你不能,至少不是完全安全。
https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data
Long answer is, you can make it difficult for hackers. 答案很长,你可以让黑客很难。 Usually this works by embedding a key in the application, obfuscating it, and obfuscating the code for getting the key.
通常,这通过在应用程序中嵌入密钥,对其进行模糊处理以及对获取密钥的代码进行模糊处理来实现。 This doesn't make it impossible for someone to find the key, just harder.
这并不能让某人找到钥匙,只是更难。
One of the stronger consumer systems out there is Microsoft's Silverlight DRM, you might want to investigate how that works: http://www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight 其中一个更强大的消费者系统是微软的Silverlight DRM,你可能想调查它是如何工作的: http : //www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight
You could make all your REST services require an Access Key & Secret when accessed. 您可以在访问时使所有REST服务都需要访问密钥和密钥。 The App could then store these under the configuration settings and are left blank when shipped to the App store.
然后,应用程序可以将这些存储在配置设置下,并在发送到App Store时保留为空白。
Then when you download the application you can go into the configuration settings and insert the Key & Secret that you've setup for your REST Service. 然后,当您下载应用程序时,您可以进入配置设置并插入您为REST服务设置的密钥和密钥。 (This way it prevents anyone from accessing services, since you manually add the Key + Secret that are used)
(这样可以防止任何人访问服务,因为您手动添加了所使用的Key + Secret)
I would recommend setting up an IP Log of all unauthorized access attempts on the server so you could create a blacklist if someone is spamming your web service with invalid access attempts. 我建议在服务器上设置所有未经授权的访问尝试的IP日志,这样如果有人通过无效访问尝试向您的Web服务发送垃圾邮件,您就可以创建黑名单。
And then to top it all off you could do this all over HTTPS. 然后最重要的是你可以通过HTTPS完成这一切。
There are few options: 选项很少:
The canonical way to do this is using SSL and client certificates. 执行此操作的规范方法是使用SSL和客户端证书。 I'm not sure whether App Engine supports this.
我不确定App Engine是否支持此功能。
Do be aware, however, that if you're distributing your APK then you can't rely solely on anything distributed with the APK -- it would be possible (if rather unlikely, depending on how high-profile you are as a target) to extract whatever information is required to spoof the application. 但请注意,如果您正在分发您的APK,那么您不能仅依赖于随APK分发的任何内容 - 这是可能的(如果不太可能,取决于您作为目标的高调)提取欺骗应用程序所需的任何信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.