iOS应用和Raspberry Pi之间的安全通信
[英]Secure communication between iOS app and Raspberry Pi
问题描述
I want to create secure communication channel between my RPI and iOS 11 mobile application in local environment. 
我想在本地环境中在我的RPI和iOS 11移动应用程序之间创建安全的通信通道。 My RPI is running a python API code and my iOS mobile app creates different API calls to the RPI. 我的RPI正在运行python API代码,我的iOS移动应用程序会为RPI创建不同的API调用。 For secure connection I'm using certificates signed by my private Certificate Authority. 对于安全连接,我使用的是由我的私有证书颁发机构签名的证书。 All certificates and signing requests were created using “OpenSSL” Linux command line tool. 所有证书和签名请求都是使用“OpenSSL”Linux命令行工具创建的。
As I mentioned earlier, devices are communicating in local network over default .local domain which is configured by avahi service on linux device, and bonjour (zeroconf) service on iOS device. 正如我前面提到的,设备通过默认的.local域在本地网络中进行通信,该域由linux设备上的avahi服务和iOS设备上的bonjour(zeroconf)服务配置。 In the beginning I had some issues with loading certificates in mobile app and after I've done some research I've found that I must have “ NSAllowsLocalNetworking ” flag enabled inside xCode IDE. 一开始我在移动应用程序中加载证书时遇到了一些问题,在我做了一些研究之后,我发现我必须在xCode IDE中启用“ NSAllowsLocalNetworking ”标志。 With the “NS” flag enabled SSL certificate pinning was successful and secure communication was established. 启用“NS”标志后,SSL证书固定成功并建立了安全通信。
What I don't know and I would like to find out are two things: 我不知道的,我想知道的是两件事:
- Is there any restriction from Apple side with publishing application to the app store when the “ NSAllowsLocalNetworking ” flag was enabled? 当启用“ NSAllowsLocalNetworking ”标志时,Apple方面是否有限制将应用程序发布到应用程序商店?
- Besides using certificates, what other options do I have in terms of secure communication between iOS mobile app and RPI? 除了使用证书之外,我还有哪些其他选项可以在iOS移动应用和RPI之间进行安全通信?
1 个解决方案
解决方案1
2 已采纳 2018-04-23 18:25:01
You are using the correct approach. 您正在使用正确的方法。 Using a self signed certificate with certificate pinning is the right approach will allow you to trust the connection, as long as you have protected the key used to generate the cert. 使用带有证书固定的自签名证书是正确的方法,只要您保护用于生成证书的密钥,就可以信任该连接。
In fact, it is recommended by Apple: 事实上,Apple建议:
Note: Although ATS is unenforced for connection to local hosts, Apple strongly recommends using Transport Layer Security (TLS) for any local connection, along with the use of a self-signed certificate to validate the local IP address.
Apple created the NSAllowsLocalNetworking specifically for scenarios such as this. Apple专门针对此类场景创建了NSAllowsLocalNetworking 。 As of current Apple documentation, use of this flag will not trigger the need to provide Apple with justification for disabling ATS. 截至目前的Apple文档,使用此标志不会触发向Apple提供禁用ATS的理由的必要性。 One additional thing to note is that this flag is only supported on iOS10 and later . 另外需要注意的是,此标志仅在iOS10及更高版本上受支持。
If you need to support older versions, Apple offers a way to do this to support older versions. 如果您需要支持旧版本,Apple提供了一种方法来支持旧版本。 Basically, you set both the NSAllowsArbitraryLoads flag to true, as well as the NSAllowsLocalNetworking flag. 基本上,您将NSAllowsArbitraryLoads标志设置为true,以及NSAllowsLocalNetworking标志。 Basically, iOS9 only understand, so iOS 9 devices disable ATS altogether. 基本上,iOS9只能理解,因此iOS 9设备完全禁用ATS。 iOS 10+ understands, both NSAllowsArbitraryLoads and NSAllowsLocalNetworking , so it has logic built in to let NSAllowsLocalNetworking override NSAllowsArbitraryLoads , and leaves ATS protections on for the rest of the app, while allowing local network connections to go through. iOS 10+了解NSAllowsArbitraryLoads和NSAllowsLocalNetworking ,因此它内置了逻辑,让NSAllowsLocalNetworking覆盖NSAllowsArbitraryLoads ,并为应用程序的其余部分NSAllowsArbitraryLoads ATS保护,同时允许本地网络连接通过。 Apple covers that on their documentation page under the header "Supporting Older Operating Systems". Apple在其“支持旧操作系统”标题下的文档页面上介绍了这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.