[英]How can I make a communication exclusively trusted between mobile/web clients and back-end?
I have a mobile and web application to stream music. 我有一个移动和Web应用程序来播放音乐。 Here is my actual architecture: 这是我的实际架构:
The questions is: How can I make a communication exclusively between my mobile clients and back-end? 问题是: 如何在我的移动客户端和后端之间进行独家通信? (same thing between web client and back-end) (Web客户端和后端之间的情况相同)
My suggestion is to split the problem in two parts - create two web services : 我的建议是将问题分为两个部分-创建两个Web服务 :
For mobile problem, 对于行动问题,
I'm able to intercept my mobile requests via proxy using Fiddler, decrypting HTTPS and getting important information like URL, headers, tokens. 我能够使用Fiddler通过代理拦截我的移动请求,解密HTTPS并获取重要信息,例如URL,标头,令牌。
But I know that there is an approach to avoid it making requests rejected when intercepted by another CA, like a exclusively trusted communication between back-end and mobile apps. 但是我知道,有一种方法可以避免它在被另一个CA拦截时使请求被拒绝,例如后端和移动应用程序之间的完全受信任的通信。 How can I do that for mobile solution? 对于移动解决方案,我该怎么做?
For web player problem, 对于网络播放器问题,
he problem is bigger because browser will show headers, urls and tokens to anyone. 他的问题更大,因为浏览器将向任何人显示标头,URL和令牌。
As I can't hide these information like mobile app do, I could make my back-end accept requests only from web player's domain. 由于无法像移动应用程序一样隐藏这些信息,因此我可以使后端仅接受来自Web播放器域的请求。 What is the best solution for this case? 这种情况下最好的解决方案是什么?
UPDATED 更新
Decompile mobile client is simpler than I imagined. 反编译移动客户端比我想象的要简单。 As I can't protect/ofuscate keys, tokens and urls, my suggestion is to limit requests per user's token on back-end . 由于我无法保护/禁止使用密钥,令牌和url,因此我的建议是限制后端每个用户令牌的请求 。 But how can I do that on web player? 但是如何在网络播放器上执行此操作? I have the same token for anyone (no user's authentication). 我对任何人都具有相同的令牌(无用户身份验证)。
I found this documment about decompile mobile clients. 我发现了有关反编译移动客户端的文档。 http://pt.slideshare.net/denimgroup/developing-secure-mobile-applications-17732256 http://pt.slideshare.net/denimgroup/developing-secure-mobile-applications-17732256
I would suggest you to use asymmetric cryptography . 我建议您使用非对称加密 。 You request a public key from a server, and encrypt all following communication with it. 您从服务器请求公用密钥,并对其进行以下所有通信加密。 And only your back-end will understand what you are sending to it, because only it has a private key to decrypt a message. 而且只有后端可以理解您要发送给它的内容,因为只有后端具有用于解密消息的私钥。
Note that your users still will be able to extract unencrypted data directly from client memory. 请注意,您的用户仍然可以直接从客户端内存中提取未加密的数据。 And you have no real way to disallow this! 而且您没有真正的方法禁止这样做!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.