如何使移动/ Web客户端与后端之间的通信完全受信任?
[英]How can I make a communication exclusively trusted between mobile/web clients and back-end?
问题描述
I have a mobile and web application to stream music. 
我有一个移动和Web应用程序来播放音乐。 Here is my actual architecture: 这是我的实际架构:
- RESTful service (Spring Boot) RESTful服务(春季启动)
- Spring Security 春季安全
- OAuth2 OAuth2
- HTTPS with domain certificated by CA 具有CA认证的域的HTTPS
The questions is: How can I make a communication exclusively between my mobile clients and back-end? 问题是: 如何在我的移动客户端和后端之间进行独家通信? (same thing between web client and back-end) (Web客户端和后端之间的情况相同)
My suggestion is to split the problem in two parts - create two web services : 我的建议是将问题分为两个部分-创建两个Web服务 :
- One back-end for mobile apps (without CRSF protection) with user certificate. 一个具有用户证书的移动应用程序后端(无CRSF保护)。
- One back-end for web player (with CRSF protection) accepting requests only from web player's domain. Web播放器的一个后端(具有CRSF保护)仅接受来自Web播放器域的请求。
For mobile problem, 对于行动问题,
I'm able to intercept my mobile requests via proxy using Fiddler, decrypting HTTPS and getting important information like URL, headers, tokens. 我能够使用Fiddler通过代理拦截我的移动请求,解密HTTPS并获取重要信息,例如URL,标头,令牌。
But I know that there is an approach to avoid it making requests rejected when intercepted by another CA, like a exclusively trusted communication between back-end and mobile apps. 但是我知道,有一种方法可以避免它在被另一个CA拦截时使请求被拒绝,例如后端和移动应用程序之间的完全受信任的通信。 How can I do that for mobile solution? 对于移动解决方案,我该怎么做?
For web player problem, 对于网络播放器问题,
he problem is bigger because browser will show headers, urls and tokens to anyone. 他的问题更大,因为浏览器将向任何人显示标头,URL和令牌。
As I can't hide these information like mobile app do, I could make my back-end accept requests only from web player's domain. 由于无法像移动应用程序一样隐藏这些信息,因此我可以使后端仅接受来自Web播放器域的请求。 What is the best solution for this case? 这种情况下最好的解决方案是什么?
UPDATED 更新
Decompile mobile client is simpler than I imagined. 反编译移动客户端比我想象的要简单。 As I can't protect/ofuscate keys, tokens and urls, my suggestion is to limit requests per user's token on back-end . 由于我无法保护/禁止使用密钥,令牌和url,因此我的建议是限制后端每个用户令牌的请求 。 But how can I do that on web player? 但是如何在网络播放器上执行此操作? I have the same token for anyone (no user's authentication). 我对任何人都具有相同的令牌(无用户身份验证)。
I found this documment about decompile mobile clients. 我发现了有关反编译移动客户端的文档。 http://pt.slideshare.net/denimgroup/developing-secure-mobile-applications-17732256 http://pt.slideshare.net/denimgroup/developing-secure-mobile-applications-17732256
1 个解决方案
解决方案1
0 2016-04-04 08:02:29
I would suggest you to use asymmetric cryptography . 我建议您使用非对称加密 。 You request a public key from a server, and encrypt all following communication with it. 您从服务器请求公用密钥,并对其进行以下所有通信加密。 And only your back-end will understand what you are sending to it, because only it has a private key to decrypt a message. 而且只有后端可以理解您要发送给它的内容,因为只有后端具有用于解密消息的私钥。
Note that your users still will be able to extract unencrypted data directly from client memory.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.