[英]Is it possible to have an ASP.NET Web API that can be only accessed by mobile native apps (iOS, Android, Windows Phone, etc.)?
Let's say I have a public Web API, which does not need authorization, like: 假设我有一个公共Web API,它不需要授权,例如:
public class MobileDataController : ApiController
{
[AllowAnonymous]
public IEnumerable<string> Get()
{
return new string[] { "One", "Two", "Three" };
}
}
Is it possible to make this Web API only available for my iPhone and Android native app? 是否可以使此Web API仅适用于我的iPhone和Android本机应用程序?
Basically I do not want the Web API to process any request that is not coming from my phone native app. 基本上我不希望Web API处理任何不是来自我的手机本机应用程序的请求。
No. What you want is what's called device attestation, which is a concept bundled under Trustworthy Computing . 不。你想要的是什么叫做设备认证,这是一个捆绑在可信赖计算下的概念。 However it's impossible, unless you own the device and can ensure it cannot be jailbroken and all communications cannot be intercepted.
然而,这是不可能的,除非您拥有该设备并且可以确保它不会被越狱并且所有通信都不能被截获。
No matter what code you add an attacker can reverse engineer it. 无论您添加什么代码,攻击者都可以对其进行逆向工程。 An attacker can use fiddler to add the headers you send to indicate it's a mobile device.
攻击者可以使用fiddler添加您发送的标头,以表明它是移动设备。 If you use OAuth with client IDs the client ID needs to be inside your software, and thus can be reverse engineered out.
如果您将OAuth与客户端ID一起使用,则客户端ID需要位于您的软件中,因此可以进行反向设计。
For example, SnapChat doesn't support Windows Phone. 例如,SnapChat不支持Windows Phone。 There are SnapChat clones for Windows Phone, and the only thing SnapChat can do is to file a takedown notice, as, if they're done well, they're indistinguishable from the real clients running on an iPhone.
Windows Phone有SnapChat克隆,SnapChat唯一能做的就是提交删除通知,因为如果它们运行良好,它们与iPhone上运行的真实客户端无法区分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.