确保http(s)请求来自我的iOS应用程序
[英]Make sure an http(s) request is coming from my iOS app
问题描述
I'm developing an iOS App where users are displayed content related to their surrounding. 
我正在开发一个iOS应用程序,用户可以在其中显示与周围环境相关的内容。 I have a username/ password authentification. 我有一个用户名/密码验证。 So a user sends his gps data along with his login information to my PHP/ MySQL backend, which then returns the data. 因此,用户将他的gps数据及其登录信息发送到我的PHP / MySQL后端,然后返回数据。
However, I fear somebody might decompile my app, register and then "scan" my entire database by simply sending requests with different gps data that doesn't actually come from an iOS device. 但是,我担心有人可能会反编译我的应用程序,注册然后“扫描”我的整个数据库,只需发送不具有实际来自iOS设备的不同gps数据的请求。 Is there any way to prevent this? 有什么方法可以防止这种情况吗? I've googled already and found this threat: 我已经google了,发现了这个威胁:
How to make sure API requests come from our mobile (ios/android) app? 如何确保API请求来自我们的移动(ios / android)应用程序?
But I think the problem there is slightly different and does not solve my issue. 但我认为那里的问题略有不同,并没有解决我的问题。
I've looked into API keys but didn't find a way how to stop a malicious user from gaining access to the API through registering/ decompiling and then use his login information along with the key from the code. 我查看了API密钥,但没有找到办法阻止恶意用户通过注册/反编译获取对API的访问权限,然后使用他的登录信息以及代码中的密钥。
Any help is appreciated. 任何帮助表示赞赏。 Jan 一月
3 个解决方案
解决方案1
3 2013-10-11 21:42:51
You could log all of the requests per user, then use the GPS coordinates to apply rules to the user's movement. 您可以记录每个用户的所有请求,然后使用GPS坐标将规则应用于用户的移动。 For example, set a rule that fires if the the coordinates suggest the user is moving faster than 500 mph, or travels more than 10,000 miles in one day, that sort of thing. 例如,如果坐标表明用户移动速度超过500英里/小时,或者在一天内行驶超过10,000英里,则设置一个触发规则。 If the rules fire then the movement is artificial and you're being scanned; 如果规则触发,则移动是人为的并且您正在被扫描; if the rules don't fire it means the user is moving in an ordinary, human way as expected. 如果规则不触发它意味着用户正在按照预期的普通人类方式移动。
解决方案2
2 2013-10-11 21:30:50
好吧,我不是移动设备开发人员,但是如果你没有其他选择,你可以生成一个令牌(一些哈希值),并且每次调用你的API都需要针对令牌进行验证?
解决方案3
1 已采纳 2013-10-13 10:47:00
I had the same problem with such an app before. 我之前遇到过类似问题的问题。 In the end, you cannot really rely on a device based coupling and access rule being checked. 最后,您无法真正依赖于检查基于设备的耦合和访问规则。
First thing to consider is some form of authentication. 首先要考虑的是某种形式的身份验证。 But guessing you already considered that, it might not be applicable to your app. 但猜猜你已经考虑过了,它可能不适用于你的应用。
My approach was to check and restrict the number of queries that can originate from a certain origin for a day. 我的方法是检查和限制一天内某个来源的查询数量。 Calculate based on refresh intervals, what amount of data you would expect to be pulled from your backend, put some 10% on top of that, and stop providing data to that destination once exceeded, and sent an email to the admin about the event so he can look into it, and maybe ban the client permanently. 根据刷新间隔计算,您希望从后端获取的数据量是多少,在此基础上增加10%,并在超出时停止向该目标提供数据,并向管理员发送有关该事件的电子邮件,以便他可以调查一下,也许永久地禁止客户。
As stated in a comment before, not waterproof either, but it works in a device agnostic way, and the harder you make it to abuse, the better it is. 正如之前的评论中所述,也不是防水,但它以设备无关的方式工作,并且你越难以滥用它,它就越好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.