GoogleAuthUtil就像iOS的设备身份验证一样,可以验证请求是否来自Apple设备
[英]GoogleAuthUtil like device authentication for iOS to verify that requests originate from an Apple device
问题描述
Google Auth Util lets Android developers verify that the requests their servers receive come from an Android device. 
Google Auth Util允许Android开发人员验证其服务器收到的请求来自Android设备。
The device gets a token from Google based on the Google account associated with the device, then the requests from the device are sent with that token to the server, where the server then asks Google if the token is valid. 设备会根据与设备关联的Google帐户从Google获取令牌,然后设备的请求会随该令牌一起发送到服务器,然后服务器会询问Google是否有效。 Any keys are kept out of the app source, so malicious folks cannot crack the app and access private keys and fudge requests to the server. 任何密钥都不在应用程序源之外,因此恶意用户无法破解应用程序并访问私钥和软件请求到服务器。
I've looked for a while and it seems Apple doesn't offer anything like this but I was hoping there was something functionally similar I could use for iOS. 我已经看了一段时间,似乎Apple没有提供这样的东西,但我希望有一些功能相似的功能,我可以用于iOS。
1 个解决方案
解决方案1
1 2016-03-02 17:51:38
Update 更新
While the implicit assumption in the question seems reasonable, it is not actually true. 虽然问题中隐含的假设似乎是合理的,但事实并非如此。 Further readings of the Google sources reveal that the purpose of the Auth Util (and later Firebase) are to authenticate the user and secure the server. 进一步阅读Google消息来源表明,Auth Util(以及后来的Firebase)的目的是验证用户身份并保护服务器。 Given that the server only sees network traffic, it's possible to replicate the traffic from another client. 鉴于服务器只能看到网络流量,因此可以复制来自其他客户端的流量。
In addition, the definition of Android is fairly blurry, as OEM modify the base OS to suit their needs. 此外,Android的定义相当模糊,因为OEM修改基本操作系统以满足他们的需求。
This is likely wrong 这可能是错的
One option is to use the
Apple Push Notification .
一种选择是使用
Apple推送通知 。
You can register a device and
push notifications specifically to it .
您可以注册设备并
专门向其发送通知 。
When your app loads, it sends a request to the server with its
device token and receives what is essentially a session cookie via the APN.
当您的应用加载时,它会向服务器发送带有
设备令牌的请求,并通过APN接收基本上是会话cookie的内容。
One caveat is that
it is not encrypted .
一个警告是
它没有加密 。
You can easily solve this by sending a randomly generated symmetric key in the request.
您可以通过在请求中发送随机生成的对称密钥来轻松解决此问题。
The cookie you get would be encrypted on the server and decrypted using the same key in the iOS device.
您获得的cookie将在服务器上加密,并使用iOS设备中的相同密钥进行解密。
This solves the issue of storing keys in the source and proves the requests came from an iOS device.
这解决了在源中存储密钥的问题,并证明请求来自iOS设备。
Of course, this can be simplified by generating a certificate, storing it in the key chain and sending the private key to the server for storage during registration.
当然,这可以通过生成证书,将其存储在密钥链中并在注册期间将私钥发送到服务器以进行存储来简化。
After the initial registration and validation using APN, subsequent messages can be signed using the device id + certificate public key.
在使用APN进行初始注册和验证之后,可以使用设备ID +证书公钥对后续消息进行签名。
One last issue is that APN can also be used to register OSX devices.
最后一个问题是APN也可用于注册OSX设备。
I haven't been able to figure out how to exclude those (yet).
我还没弄清楚如何排除那些(还)。
Disclaimer: It's been a long day of writing specs.
免责声明:编写规范已经过了漫长的一天。
I'm reasonably comfortable with the mechanism of initially registering the iOS device using APN.
我对使用APN初始注册iOS设备的机制感到相当满意。
I may have gotten the encryption parts wrong.
我可能已经将加密部分弄错了。
If so, comment gently, please.
如果是这样,请轻轻评论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.