[英]How to verify requests in backend
I'm creating a payment android library( aar
) and i have to make sure that all of the requests that i got in back-end
are from my lib not a fake lib. 我正在创建一个付款android库(
aar
),我必须确保我在back-end
收到的所有请求都来自我的库,而不是假库。
how can i do it? 我该怎么做?
I used two ways before: 我之前使用过两种方法:
1- Easy and bad way: Try to use a hardcoded String like JWT in your app and use a strong obfuscator to avoid decompiling the application. 1-简单又糟糕的方法:尝试在应用程序中使用像JWT这样的硬编码字符串,并使用强大的混淆器来避免对应用程序进行反编译。
2- Better way: You can use instance id
and send it to your backend and server can inquire this id from the Google and there are some elements like package id
in the response which server can use to accept or reject the request. 2-更好的方法:您可以使用
instance id
并将其发送到后端,服务器可以从Google查询此ID,并且响应中包含一些元素(如package id
,服务器可以使用这些元素接受或拒绝请求。
A sample response from the Google: 来自Google的样本回复:
{
"application":"com.iid.example",
"authorizedEntity":"123456782354",
"platform":"Android",
"attestStatus":"ROOTED",
"appSigner":"1a2bc3d4e5",
"connectionType":"WIFI",
"connectDate":"2015-05-12
}
}
reference: https://developers.google.com/instance-id/reference/server 参考: https : //developers.google.com/instance-id/reference/server
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.