[英]What is the best way to secure a RESTful API to be accessed on an iPhone
I am looking for some suggestions on how to secure access to a RESTful API which initially be used by an iPhone application, but will have other clients in the future. 我正在寻找一些关于如何保护对最初由iPhone应用程序使用的RESTful API的访问的建议,但将来会有其他客户端。 The data exposed by this API must be kept secure as it may contain health information.
此API公开的数据必须保持安全,因为它可能包含健康信息。 All access will be done over HTTPS.
所有访问都将通过HTTPS完成。
I was thinking that I'd like to require pre-registration of the iphones at setup and then also some type of PIN/Password on each request. 我想我想要在安装时预先注册iphone,然后在每个请求上也要求某种类型的PIN /密码。 So, simply knowing the password without pre-registering the phone/client won't provide access.
因此,只需在不预先注册电话/客户端的情况下了解密码就无法提供访问权限。 I was thinking about somehow tying it to the iPhone identifier if that is possible, but not sure it would provide any additional security.
如果可能的话,我正在考虑以某种方式将它绑定到iPhone标识符,但不确定它是否会提供任何额外的安全性。 The iPhone identifier is just another piece of information and it may not even be that secret.
iPhone标识符只是另一条信息,甚至可能不是那么秘密。
So, some requirements would be: 所以,一些要求是:
I would think that, if the application contains medical records, you would want to have the user authenticate every time they use the application or, at least, have some way of pushing down a disable message that renders the app useless in the case where it is lost or stolen. 我认为,如果应用程序包含医疗记录,您可能希望每次使用应用程序时让用户进行身份验证,或者至少有一些方法可以按下禁用消息,导致应用程序无法使用丢失或被盗 The 4-6 character password (pin) would also concern me with respect to HIPAA, if it applies.
如果适用的话,4-6字符密码(pin)也会引起我关于HIPAA的问题。
You might want to treat it as a standard web app from the server perspective and do session-based authentication and access with a session that times out, perhaps after a long period, and re-authentication on timeout. 您可能希望从服务器角度将其视为标准Web应用程序,并使用可能在很长一段时间后超时的会话执行基于会话的身份验证和访问,并在超时时重新进行身份验证。
You could use SSL with client authentication. 您可以将SSL用于客户端身份验证。 If a device gets lost, you can remove the certificate on the server.
如果设备丢失,您可以删除服务器上的证书。 There are some obstacles though:
但是有一些障碍:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.