如何防止Android应用程序中使用的文件的直接URL访问?
[英]How to prevent direct URL access of a file which is used in an Android app?
问题描述
I have an mp3 file in a server, Example: www.example.com/Album/Songs/abc.mp3. 
我在服务器中有一个mp3文件,例如:www.example.com/Album/Songs/abc.mp3。
I am building an android app to list all files under 'Songs' folder and then play the selected ones. 我正在构建一个Android应用,以列出“歌曲”文件夹下的所有文件,然后播放选定的文件。
Now, is there a way to prevent direct access to the mp3 file incase if someone gets hold of the URL? 现在,有没有一种方法可以防止在有人掌握URL的情况下直接访问mp3文件?
I tried the usual methods like rewrite engine. 我尝试了重写引擎之类的常用方法。 It prevents direct URL access but it also blocks my app from using the files. 它阻止了直接URL访问,但也阻止了我的应用使用这些文件。
Here's my android code to play the files: 这是我用来播放文件的android代码:
MediaPlayer player = new MediaPlayer();
player.setAudioStreamType(AudioManager.STREAM_MUSIC);
player.setDataSource(song_path);
player.prepare();
player.start();
The song_path is simply http://www.example.com/Album/Songs/abc.mp3 song_path只是http://www.example.com/Album/Songs/abc.mp3
PS: I understand that encrypting through ProGuard will make it nearly impossible to get the direct URL through reverse engineering. PS:我知道通过ProGuard进行加密将几乎不可能通过逆向工程获得直接URL。 I still wanted to check if there is any other way to make it work. 我仍然想检查是否还有其他方法可以使它工作。
2 个解决方案
解决方案1
1 2016-10-16 08:01:57
there is nothing you an do about it in your android app. 在您的android应用中,您无能为力。 its a policy the server side should take to prevent this. 服务器端应采取的策略来防止这种情况。 even if you proguard your APK there apps like wireShark which can sniff your app and find what APIs you are calling. 即使您保护您的APK,也可以使用wireShark之类的应用程序来嗅探您的应用程序并找到您正在调用的API。
there are some ways to do this. 有一些方法可以做到这一点。 some try to generate temprory links whenever the app (with a user that is logged in) calls a say play API they provide the app wit ha temporary link that will invalidates some minuets (or hour) later. 每当应用程序(具有登录用户的应用程序)调用一个说说播放API时,他们都会尝试生成临时链接,他们会使用临时链接为应用程序提供该应用程序,这些临时链接将使某些小块(或一小时)无效。 then app uses that link to play the music or whatever. 然后应用程序使用该链接播放音乐或其他内容。
another scenario is to encrypt the music bytes and decrypt in the application side that has more complicated considerations. 另一种情况是对音乐字节进行加密并在应用程序端进行解密,这需要考虑更复杂的因素。
解决方案2
1 2016-10-16 09:31:03
You can use player.setDataSource(Context context, Uri uri, Map<String, String> headers) to send a custom header . 您可以使用player.setDataSource(Context context, Uri uri, Map<String, String> headers)发送自定义header 。 You can then check for that custom header in PHP or in Apache before returning the mp3. 然后,您可以在返回mp3之前,在PHP或Apache中检查该自定义标头。
To check in Apache, you would use a rewrite rule to check for and allow only connections with the correct header . 要检入Apache,可以使用rewrite rule来检查并仅允许使用正确的header 。
In PHP, you could use $_SERVER['HTTP_*YOUR_HEADER_HERE*'] and then echo the MP3 file along with the correct headers. 在PHP中,可以使用$_SERVER['HTTP_*YOUR_HEADER_HERE*'] ,然后echo显MP3文件以及正确的标题。 Might be a bit tricky if you allow seeking. 如果允许搜索,可能会有些棘手。
The Apache rewrite rule may be the easiest to implement. Apache rewrite rule可能是最容易实现的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.