确保在iPhone上访问RESTful API的最佳方法是什么?
[英]What is the best way to secure a RESTful API to be accessed on an iPhone
问题描述
I am looking for some suggestions on how to secure access to a RESTful API which initially be used by an iPhone application, but will have other clients in the future. 
我正在寻找一些关于如何保护对最初由iPhone应用程序使用的RESTful API的访问的建议,但将来会有其他客户端。 The data exposed by this API must be kept secure as it may contain health information. 此API公开的数据必须保持安全,因为它可能包含健康信息。 All access will be done over HTTPS. 所有访问都将通过HTTPS完成。
I was thinking that I'd like to require pre-registration of the iphones at setup and then also some type of PIN/Password on each request. 我想我想要在安装时预先注册iphone,然后在每个请求上也要求某种类型的PIN /密码。 So, simply knowing the password without pre-registering the phone/client won't provide access. 因此,只需在不预先注册电话/客户端的情况下了解密码就无法提供访问权限。 I was thinking about somehow tying it to the iPhone identifier if that is possible, but not sure it would provide any additional security. 如果可能的话,我正在考虑以某种方式将它绑定到iPhone标识符,但不确定它是否会提供任何额外的安全性。 The iPhone identifier is just another piece of information and it may not even be that secret. iPhone标识符只是另一条信息,甚至可能不是那么秘密。
So, some requirements would be: 所以,一些要求是:
- Use some type of pin-based solution on the iPhone, but want more security then a simple 4-6 digit pin can provide. 在iPhone上使用某种类型的基于引脚的解决方案,但是需要更高的安全性,然后可以提供简单的4-6位数引脚。
- No passwords could be sent in the clear. 没有密码可以清除。
- Not be subject to reply attacks 不受回复攻击
- Having to pre-exchange some data between client and server when setting up client is OK. 在设置客户端时必须在客户端和服务器之间预交换一些数据是可以的。
2 个解决方案
解决方案1
1 2010-01-10 13:56:09
I would think that, if the application contains medical records, you would want to have the user authenticate every time they use the application or, at least, have some way of pushing down a disable message that renders the app useless in the case where it is lost or stolen. 我认为,如果应用程序包含医疗记录,您可能希望每次使用应用程序时让用户进行身份验证,或者至少有一些方法可以按下禁用消息,导致应用程序无法使用丢失或被盗 The 4-6 character password (pin) would also concern me with respect to HIPAA, if it applies. 如果适用的话,4-6字符密码(pin)也会引起我关于HIPAA的问题。
You might want to treat it as a standard web app from the server perspective and do session-based authentication and access with a session that times out, perhaps after a long period, and re-authentication on timeout. 您可能希望从服务器角度将其视为标准Web应用程序,并使用可能在很长一段时间后超时的会话执行基于会话的身份验证和访问,并在超时时重新进行身份验证。
解决方案2
0 2010-01-11 00:22:05
You could use SSL with client authentication. 您可以将SSL用于客户端身份验证。 If a device gets lost, you can remove the certificate on the server. 如果设备丢失,您可以删除服务器上的证书。 There are some obstacles though: 但是有一些障碍:
- It is not entirely clear if/how you can do client authenticated SSL on the iPhone Unfortunately, there is not much documentation about it. 目前还不完全清楚是否/如何在iPhone上进行客户端身份验证的SSL。遗憾的是,没有太多关于它的文档。 Have a look at Certificate, Key, and Trust Services Reference 查看证书,密钥和信任服务参考
- You have to create a private key for every device 您必须为每个设备创建一个私钥
- You also have to figure out a secure way to transfer the private key to the device 您还必须找到一种将私钥传输到设备的安全方法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.