android app和server之间的客户端服务器通信
[英]Client server communication between android app and server
问题描述
I am building an android application which communicates with web server for authentication, and getting data from server. 
我正在构建一个Android应用程序,它与Web服务器通信以进行身份验证,并从服务器获取数据。 I am using HTTPS/SSL for communication using self signed certificate on the server and allowed that certificate in the android app . 我使用HTTPS / SSL在服务器上使用自签名证书进行通信,并允许在Android应用程序中使用该证书。 In this way i am sure that I am talking to a correct server. 通过这种方式,我确信我正在与正确的服务器通信。 But how to make sure that server is getting a request from the right client. 但是如何确保服务器从正确的客户端获得请求。
What if I spoof the http request from the browser to send to server ? 如果我将浏览器的http请求欺骗发送到服务器怎么办?
How can server know whether it is getting request from the android application , is there any way to restrict server from handling requests only from the mobile app ? 服务器如何知道它是否从Android应用程序获取请求,是否有任何方法限制服务器仅处理来自移动应用程序的请求?
1 个解决方案
解决方案1
2 已采纳 2014-06-17 17:30:33
That's a complex problem. 这是一个复杂的问题。
You could have a private certificate and its corresponding public certificate signed by a CA recognized by your server (just add the CA public certificate in the corresponding key store). 您可以拥有一个私有证书及其相应的公共证书,由您的服务器识别的CA签名(只需在相应的密钥库中添加CA公共证书)。 The main complication of that solution are: -Somebody can steal the certificate and use it in another device (if this problem is negligible for your application, then this solution is OK) -Certificate distribution and expiration: you need a solution for bootstrap, certificate distribution, and actions before certificate expiration. 该解决方案的主要复杂性是: - 有人可以窃取证书并在其他设备中使用它(如果您的应用程序可以忽略此问题,那么此解决方案就可以了) - 证书分发和到期:您需要一个解决方案来启动证书,证书分发和证书过期前的操作。
Other solutions could involve having a Device ID, there are some providers for this, and using One-Time Password. 其他解决方案可能涉及拥有设备ID,有一些提供商,并使用一次性密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.