我应该直接从Android应用上传到Google云端存储吗?
[英]Should I be uploading to Google Cloud Storage directly from an Android App?
问题描述
This is a security question. 
这是一个安全问题。
I have an Android app that allows users to upload their private images to my Google Cloud Storage bucket. 我有一个Android应用,允许用户将其私有图片上传到我的Google云端存储分区。 I have two options: 我有两个选择:
Send the image data to my server, which will then handle the upload.
将图像数据发送到我的服务器,然后服务器将处理上传。 Perform the upload directly via the client (Android app).
直接通过客户端(Android应用程序)执行上传。
In my case, the files need to be publicly visible (to allow users to share their uploads), so I use obscure randomly-generated URLs to ensure nobody stumbles upon private images. 在我的情况下,文件需要公开显示(以允许用户共享他们的上传),所以我使用模糊的随机生成的URL来确保没有人偶然发现私人图像。
I can't figure out any way to make the second approach secure , because: 我无法弄清楚任何方法使第二种方法安全 ,因为:
I would need to embed my API access credentials within the app, which is impossible to do securely.
我需要在应用程序中嵌入我的API访问凭据,这是不可能安全的。 If somebody got their hands on my credentials, they could list the contents of the bucket and discover everyone's files.
如果有人拿到我的凭据,他们可以列出存储桶的内容并发现每个人的文件。 This would be terrible! 这太可怕了! The absence of a working example for Android on the Google Cloud Platform documentation also suggests that Google don't support the client approach.
Google Cloud Platform文档中缺少Android的工作示例也表明Google不支持客户端方法。 (There's a general Java solution, but it will not work on Android out-of the box). (这是一个通用的Java解决方案,但它不适用于Android开箱即用)。
Despite all of these shortcomings, I know that a many people have chosen the client upload approach.
1 个解决方案
解决方案1
0 2016-11-07 18:51:29
The very most secure option involving the customers directly uploading the data would be to have your server generated signed URLs and vend them to users when they want to upload something. 涉及客户直接上传数据的最安全选项是让您的服务器生成签名URL,并在他们想要上传内容时将其提供给用户。 The server would pick a unique object name, generate a URL that would be used to upload the object, then sign that URL with a service account that has permission to write to that bucket. 服务器将选择一个唯一的对象名称,生成一个用于上传对象的URL,然后使用有权写入该存储桶的服务帐户对该URL进行签名。 Presumably you have some mechanism of authenticating users of your application, and you would only vend signed URLs to users who passed whatever current check you're using. 据推测,您可以使用某种机制对应用程序的用户进行身份验证,并且只会向通过您正在使用的当前检查的用户提供已签名的URL。
The downside of this approach is the added complexity of implementing a signed URL vending service as well as requiring the customer to make two requests instead of one. 这种方法的缺点是实现签名的URL自动售货服务增加了复杂性,并要求客户提出两个请求而不是一个。 The upside is giving your server near-perfect control of what customers may do. 好处是让您的服务器能够近乎完美地控制客户的行为。
Note that for uploads you have two options for signed URLs: a regular signed URL , and a signed "policy document" that gives the caller a bit more leeway on what sort of uploads are acceptable. 请注意,对于上传,您有两种签名网址选项: 常规签名网址和签名的“政策文档” ,可让调用者更多地了解可接受的上传类型。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.