如何安全地确定尝试连接到后端服务器的android应用是我的正版应用?
[英]How to securly veify that an android app that is trying to connect to my backend server is my genuine app?
问题描述
I have android app that connects to my backend server to fetch data. 
我有一个连接到后端服务器以获取数据的android应用。 Right now, it serves as an open API. 现在,它充当开放API。
Some one can modify my app, and still be able to connect to my backend server and get data. 有人可以修改我的应用,但仍然可以连接到我的后端服务器并获取数据。 How can I SECURELY prevent it? 我该如何安全地预防呢?
So in other words, I want that ONLY APKs that are signed by me be able to get service from my backend server. 因此,换句话说,我希望只有我签名的APK才能从后端服务器获得服务。 How this can be implemented? 如何实现呢?
Solution should not rely on signing in users. 解决方案不应依赖于登录用户。 Users do not need to be registered to get service from the server. 无需注册用户即可从服务器获取服务。
[edit] Bonus Question: I publish source code of my app in GIT. [edit]奖励问题:我在GIT中发布了我的应用程序的源代码。 So I do not have much options in hiding some keys inside the source code. 因此,在隐藏源代码中的某些键方面,我没有太多选择。 Yet I want only the apps signed by me to be able to connect to my server. 但是我只希望我签名的应用程序能够连接到服务器。 Is it possible? 可能吗?
3 个解决方案
解决方案1
1 2016-09-02 10:48:15
- Get
certificate fingerprintfrom your app.从您的应用程序获取certificate fingerprint。 follow this link.点击此链接。 This fingerprintis generated from code so it can't be stolen by decompilingapk.此fingerprint是从代码生成的,因此无法通过反编译apk来窃取。 - You can send this
fingerprintusingPOST APIasPOSTdata isencrypted.您可以使用POST API发送此fingerprint因为POST数据已encrypted。 - Verify this
SHAon your server, if that matches then request is coming from your app.在服务器上验证此SHA,如果匹配,则请求来自您的应用。
解决方案2
1 2016-09-02 10:56:36
You can validate your certificate signature/private key (contained in a .keystore or .jks file) at your server for API call you want to secure. 您可以在服务器上验证要保护的API调用的证书签名/私钥 (包含在.keystore或.jks文件中)。
1) embedded your app's signature in your API . 1)在API中嵌入您应用的签名。
2) send signature as a parameter with API call from your app. 2)使用您的应用程序的API调用发送签名作为参数。
3) Check that the signature at runtime matches to your embedded developer signature and respond your request accordingly. 3)在运行时检查签名是否与您的嵌入式开发人员签名匹配,并相应地响应您的请求。
You can get signature runtime with: 您可以通过以下方式获得签名运行时:
public static String checkAppSignature(Context context) {
try {
PackageInfo packageInfo = context.getPackageManager()
.getPackageInfo(context.getPackageName(),
PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
byte[] signatureBytes = signature.toByteArray();
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signatureBytes);
final String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);
//signature at runtime
return currentSignature;
}
} catch (Exception e) {
//something went wrong, let caller decide on what to do.
}
return "INVALID_SIGNATURE";
}
解决方案3
0 2016-09-02 10:25:05
Differentiate your application access by unique customer-ID or Device-ID. 通过唯一的客户ID或设备ID区分您的应用程序访问。 Whenever your application is making requests verify those ID's on your server side. 每当您的应用程序发出请求时,请在服务器端验证这些ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.