堆栈内存溢出
  简体   繁体   English

如何防止任何人与我的服务器通信,除了我的Android应用程序

[英]How can I prevent anyone from communicating with my server except my Android app

 原文  2013-09-25 13:19:23       java/ android/ security/ google-app-engine/ rest

问题描述

I got a rest server on Google app engine and I want only my app to to be able to make calls to my server. 我在Google应用引擎上安装了休息服务器,我只希望我的应用能够拨打我的服务器。

Is there a security option I can turn on on Google app engine that will faciliate this? 我可以在谷歌应用程序引擎上打开一个安全选项来实现这个目标吗? if not than what can I do? 如果不是我能做什么?

I know you can restrict access to some pages with the follwing but i am not sure it can be applied to REST calls 我知道您可以通过以下方式限制对某些页面的访问,但我不确定它是否可以应用于REST调用 

<security-constraint>
        <web-resource-collection>
            <url-pattern>/cron/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
</security-constraint>

6 个解决方案

解决方案1
 2  2013-09-25 15:05:01

Generate privatekey/publickey pair in openssl. 在openssl中生成privatekey / publickey对。 In app distribution distribute public key. 在应用程序分发中分发公钥。 Have a custom http header called appName and encrypt the appname (a unique constant unpredicatable bit large number) and send it. 有一个名为appName的自定义http标头,并加密appname(一个唯一的常量不可预测位大号)并发送它。 Ensure your code is obfuscated so that no one is able to view the appname. 确保您的代码经过混淆,以便没有人能够查看appname。 Then since you are encrypting even if someone traces the http calls, the appname will be visible as encrypted value. 然后,即使有人跟踪http调用,您也在进行加密,因此appname将显示为加密值。 At your server end decrypt the appname using private key. 在服务器端使用私钥解密appname。 Hope this helps. 希望这可以帮助。

解决方案2
 1  2013-09-25 16:23:36

(Three answers already, and all with different ideas then my own on this matter - so a good question I think.) (已经有三个答案,并且在这个问题上我都有不同的想法 - 所以我认为这是一个很好的问题。)

It was my understanding that the recommended/canonical way of doing this (for google) is OATH2. 我的理解是这样做(谷歌)的推荐/规范方式是OATH2。 Google has recognized that OATH2 is tricky, and one of their attempts to simply it is cloud endpoints, along with Google Play Services for Android clients. 谷歌已经认识到OATH2很棘手,他们尝试简单的就是云端点,以及针对Android客户端的Google Play服务。 The instructions for this are here: 有关这方面的说明如下:

https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls https://developers.google.com/appengine/docs/java/endpoints/consume_android#Java_Making_authenticated_calls

Note that while the docs emphasize User authentication, it also supports app authentication. 请注意,虽然文档强调用户身份验证,但它也支持应用程序身份验证。

What I don't know (but would like to) is how to the same thing for a non-endpoints app, so I guess this is just a partial answer. 我不知道(但是想)是非端点应用程序如何做同样的事情,所以我想这只是一个部分答案。

解决方案3
 1  2013-09-25 21:05:57

Short answer is, you can't, at least not completely securely. 简短的回答是,你不能,至少不是完全安全。

https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data

Long answer is, you can make it difficult for hackers. 答案很长,你可以让黑客很难。 Usually this works by embedding a key in the application, obfuscating it, and obfuscating the code for getting the key. 通常,这通过在应用程序中嵌入密钥,对其进行模糊处理以及对获取密钥的代码进行模糊处理来实现。 This doesn't make it impossible for someone to find the key, just harder. 这并不能让某人找到钥匙,只是更难。

One of the stronger consumer systems out there is Microsoft's Silverlight DRM, you might want to investigate how that works: http://www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight 其中一个更强大的消费者系统是微软的Silverlight DRM,你可能想调查它是如何工作的: http//www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight

解决方案4
 1  2013-09-26 22:41:36

You could make all your REST services require an Access Key & Secret when accessed. 您可以在访问时使所有REST服务都需要访问密钥和密钥。 The App could then store these under the configuration settings and are left blank when shipped to the App store. 然后,应用程序可以将这些存储在配置设置下,并在发送到App Store时保留为空白。

Then when you download the application you can go into the configuration settings and insert the Key & Secret that you've setup for your REST Service. 然后,当您下载应用程序时,您可以进入配置设置并插入您为REST服务设置的密钥和密钥。 (This way it prevents anyone from accessing services, since you manually add the Key + Secret that are used) (这样可以防止任何人访问服务,因为您手动添加了所使用的Key + Secret)

I would recommend setting up an IP Log of all unauthorized access attempts on the server so you could create a blacklist if someone is spamming your web service with invalid access attempts. 我建议在服务器上设置所有未经授权的访问尝试的IP日志,这样如果有人通过无效访问尝试向您的Web服务发送垃圾邮件,您就可以创建黑名单。

And then to top it all off you could do this all over HTTPS. 然后最重要的是你可以通过HTTPS完成这一切。

解决方案5
 0  2013-09-25 13:39:27

There are few options: 选项很少:

  • Firstly you could limit by IP. 首先你可以通过IP限制。 This is not a good way if your android app gets dynamic IP every time. 如果你的Android应用程序每次都获得动态IP,这不是一个好方法。
  • Secondly you can use some algorigthm on both server and client which only you known. 其次,你可以在服务器和客户端上使用一些只有你知道的算法。 Server could send the data to client, client runs that algorithm and modify the data. 服务器可以将数据发送到客户端,客户端运行该算法并修改数据。 Then sends back to server. 然后发送回服务器。 Server also runs that algorithm and checks the response. 服务器还运行该算法并检查响应。 If the response is equal to what server has calculated, then server knows that client is authorized. 如果响应等于服务器计算的响应,则服务器知道客户端已获得授权。 In that case intial data which sends from server should be different everytime. 在这种情况下,从服务器发送的初始数据应该每次都不同。
  • Thirdly you can use some publicly available hashing functions instead of your own algorithm. 第三,您可以使用一些公开的散列函数而不是您自己的算法。 The idea is the same. 这个想法是一样的。 Server use same hashing function and checks if response from client is identical to its calculation. 服务器使用相同的散列函数,并检查客户端的响应是否与其计算相同。

解决方案6
 0  2013-09-25 14:11:28

The canonical way to do this is using SSL and client certificates. 执行此操作的规范方法是使用SSL和客户端证书。 I'm not sure whether App Engine supports this. 我不确定App Engine是否支持此功能。

Do be aware, however, that if you're distributing your APK then you can't rely solely on anything distributed with the APK -- it would be possible (if rather unlikely, depending on how high-profile you are as a target) to extract whatever information is required to spoof the application. 但请注意,如果您正在分发您的APK,那么您不能仅依赖于随APK分发的任何内容 - 这是可能的(如果不太可能,取决于您作为目标的高调)提取欺骗应用程序所需的任何信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当我的Android应用无法连接到服务器时,如何停止强制关闭它? - How can I stop my android app from force closing when it cant connect to my server? 如何防止Android裁剪ImageView? - How can I prevent Android from cropping my ImageView? 如何防止我的Android应用在每次手机进入睡眠状态时重置? - How do I prevent my Android app from resetting every time my phone sleeps? Android:当我在Sql Server中将状态更改为false时,如何从应用程序自动注销? - Android : How can i Auto Log out from my app when i change my status to false in Sql server? 如何绘制从我的android应用发送到tomcat服务器的经度和纬度,并在该处的Google地图上进行绘制? - How can i plot the longitudes and latitudes sent from my android app to tomcat server and plot on the google maps there? 我如何绘制从我的 android 应用程序发送到 tomcat 服务器的 lat ,lng 并在那里的谷歌地图上绘制? - How can i plot the lat ,lng sent from my android app to tomcat server and plot on the google maps there? 与服务器通信-Android应用 - Communicating with Server - Android App 如何隐藏我的API密钥,以便任何人反编译我的应用程序都看不到它? - How can I make my API key hidden so that anyone decompling my app wouldn't see it? 如何防止用户使用伪造的电子邮件,这导致我的邮件服务器出现故障? - How can I prevent users from using fake emails, which is causing my mail server to fail? 如何解决内存泄漏并防止应用程序因碎片而崩溃? - How can I resolve memory leaks and prevent my app from crashing using fragments?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM