简体繁体 English

如何防止其他iOS / Android应用程序使用我的RESTful API？

[英]How can I prevent other iOS/Android apps from using my RESTful API?

原文 2014-04-01 00:19:07 3 3 android/ ios/ security/ rest

I have a pre-existing iOS & Android app, that I'm making an update for that includes a RESTful services API and Facebook login for user authentication. 我有一个预先存在的iOS和Android应用程序，我正在进行更新，其中包括RESTful服务API和用于身份验证的Facebook登录。 The general flow of the app is: 该应用程序的一般流程是：

Users "logs in" to my app, via Facebook's SDKs, which return an access token to my app. 用户通过Facebook的SDK“登录”到我的应用程序，该SDK将访问令牌返回到我的应用程序。
App calls a RESTful service, including the Facebook access token as a parameter (using HTTPS and SSL) App调用RESTful服务，包括Facebook访问令牌作为参数（使用HTTPS和SSL）
Service that is called, sends the received access token (and app secret stored only on my servers) to Facebook to verify who the user is, and performs actions based on that. 被呼叫的服务将收到的访问令牌（以及仅存储在我的服务器上的应用程序秘密）发送到Facebook以验证用户是谁，并根据该操作执行操作。 Facebook is set to require app secret from server-side calls. Facebook设置为从服务器端调用需要app secret。

My app has gained popularity and has several clones already, and I want to prevent these clones from being able to use my RESTful API (as I am sure that they will try to do when I release the update). 我的应用已经普及并且已经有几个克隆，我想阻止这些克隆能够使用我的RESTful API（因为我确信他们会在我发布更新时尝试做）。 Let's assume that the clones are smart, are using the same Facebook access tokens that my app does (if this is possible), and are following a similar pattern & frequency of calling the API that my app does. 让我们假设克隆是聪明的，使用与我的应用程序相同的Facebook访问权限（如果可能的话），并遵循类似的模式和频率调用我的应用程序所做的API。

Is there anyway to ensure, or nearly ensure, that calls to my services are coming only from my app, and not the clones? 无论如何，确保或几乎确保我的服务的呼叫只来自我的应用程序，而不是克隆？

Thanks in advance! 提前致谢！

3 个解决方案

You can do this by including a signature in the request, and verifying it. 您可以通过在请求中包含签名并进行验证来完成此操作。

App Side: 应用方：

do something like: signature = md5( md5(url + data) + MY_RANDOM_KEY) 做类似的事情： signature = md5( md5(url + data) + MY_RANDOM_KEY)
append signature to the data, or url, etc. 将signature附加到数据或网址等。
send call to REST api (as usual) 发送呼叫到REST api（像往常一样）

Server Side: 服务器端：

extract the signature from the body/url (and remove it from there). 从body / url中提取signature （并从那里删除）。
calculate what you think it should be: signature_should_be = md5( md5(url + data) + MY_RANDOM_KEY) [keep in mind you've removed signature from url/data so that you get url/data in its original pre-hash state] 计算你认为应该是什么： signature_should_be = md5( md5(url + data) + MY_RANDOM_KEY) [请记住你已经从url / data中删除了signature ，这样你就可以获得原始预哈希状态的url / data]
verify that signature and signature_should_be are equal 验证signature和signature_should_be是否相等

Doing this, along with SSL, should make your API secure enough. 这样做以及SSL应该使您的API足够安全。

You could do as Tommy Crush suggests and add a secret inside you application. 你可以这样做，因为Tommy Crush建议并在你的应用程序中添加一个秘密。 But if you are up against clever opponents, this probably won't help. 但如果你对抗聪明的对手，这可能无济于事。 The attackers can either decompile your application or try to simply reverse engineer your signature algorithm. 攻击者可以反编译您的应用程序，也可以尝试简单地对您的签名算法进行逆向工程。

It is important to remember that anything stored within your application should be thought of as already compromised, as an attacker can decompile your app and scour through your code as much as he/she pleases and extract anything he/she wants from it. 重要的是要记住，应用程序中存储的任何内容都应该被视为已经被泄露，因为攻击者可以反编译您的应用程序并尽可能多地搜索您的代码并从中提取他/她想要的任何内容。 You cannot rely on anything in your application to be safe inside your app, since an attacker can extract it from your app into their app. 您不能依赖应用程序中的任何内容来保护您的应用程序，因为攻击者可以将其从您的应用程序中提取到他们的应用程序中。

It is important to note that you are using trying to use OAuth for authentication, which is not intended for. 请务必注意，您正在尝试使用OAuth进行身份验证，但不适用于此身份验证。 It is simply meant for authorization, which is not the same as authentication. 它仅用于授权，与身份验证不同。 Authorization simply gives you access to a resource, but does not tell you who accessed it, which is the problem you are facing. 授权只是让您访问资源，但不告诉您访问它的人，这是您面临的问题。 To authenticate your users as your real users (or as close as you can get), you would need to add a login service for your service - something like rolling your own OAuth-server, or similar. 要将您的用户作为真实用户进行身份验证（或尽可能接近），您需要为您的服务添加登录服务 - 例如滚动您自己的OAuth服务器或类似服务。 Then you can decide who can access the resource, which in this case is your RESTful API :) If this is more work than it is worth, then Tommy's scheme is a good alternative :) 然后你可以决定谁可以访问资源，在这种情况下是你的RESTful API :)如果这比它的价值更多的工作，那么Tommy的计划是一个很好的选择:)

The de facto solution for authentication on restful APIs like Twitter and Facebook use is the OAuth mechanism. 在Twitter和Facebook使用的其他API上进行身份验证的事实上的解决方案是OAuth机制。 You can find more details here: http://en.wikipedia.org/wiki/OAuth . 您可以在此处找到更多详细信息： http ： //en.wikipedia.org/wiki/OAuth 。

OAuth is supported from the majority of the languages with external libraries. 大多数语言都支持OAuth和外部库。 On Android for example there is the https://github.com/wuman/android-oauth-client library. 例如，在Android上有https://github.com/wuman/android-oauth-client库。