将数据导入Android应用程序的最佳方法?
[英]Best way to get data into an android app?
问题描述
Just a little background. 
只是一点点背景。 I am a proficient asp.net/c#/sql server programmer who has been learning Android for less than 2 days. 我是一名熟练的asp.net/c#/sql服务器程序员,他已经学习Android不到2天。
We have an existing .net website which stores a list of locations in MS SQL server 2008 and I'm trying to create and Android application that gets these locations and displays them on a Google Map. 我们有一个现有的.net网站,它存储MS SQL Server 2008中的位置列表,我正在尝试创建获取这些位置并在Google Map上显示它们的Android应用程序。
The question really is how to get the app connected to the SQL database. 问题实际上是如何让应用程序连接到SQL数据库。 I'm guessing there are a few options.... 我猜有几种选择......
1) Some kind of direct connection between the app and the remote DB. 1)应用程序和远程数据库之间的某种直接连接。
2) Creating some kind of middle layer using asp.net that would convert the data into something more usable to the Java code in the android app (bear in mind I know virtually NO java), in exactly the same was that we have .net code which supplies JSON to our web apps. 2)使用asp.net创建某种中间层,将数据转换为更适用于Android应用程序中的Java代码的东西(记住我几乎知道没有java),完全相同的是我们有.net为我们的网络应用程序提供JSON的代码。
3) Creating some kind of web service to just return XML results from the web server. 3)创建某种Web服务,只返回Web服务器的XML结果。 No idea how I would secure this so that only the Android app could request the data though. 我不知道如何保证这一点,以便只有Android应用程序可以请求数据。
Any help or advice on best practice would be really useful. 任何有关最佳实践的帮助或建议都非常有用。 I think I just need pointing in the general direction of a good strategy and I can work it out. 我想我只需指出一个好策略的总体方向,我就可以解决它。
5 个解决方案
解决方案1
1 2010-04-26 12:15:27
No idea how I would secure this so that only the Android app could request the data though.
Your problem is bigger than that. 你的问题比那更重要。
It does not relate to point (3) only, it relates to any possible approach you are going to choose. 它与点(3)无关,它与您要选择的任何可能方法有关。
- If you expose any kind of data in the Internet, it can be accessed with an authentication, or without one. 如果您在Internet中公开任何类型的数据,则可以使用身份验证或不使用身份验证来访问它。
- If it's accessed with an authentication, its either one credential for each user, or one for many users. 如果使用身份验证访问它,则为每个用户提供一个凭据,或为多个用户提供一个凭据。
- Once a user has a credential, it can use it however he likes, you can't restrict it any more than completely blocking the credential itself. 一旦用户拥有凭证,它可以随意使用它,您不能限制它,只能完全阻止凭证本身。
Now, you are going this way, ie one credential that is valid for all users, ie the application has got it and it uses it to get the data. 现在,您将采用这种方式,即一个对所有用户都有效的凭证,即应用程序已获得它并使用它来获取数据。 The fact that the user himself might not now it is irrelevant. 用户自己现在可能不是这样的事实是无关紧要的。
Remember: security through obscurity just doesn't work. 请记住:通过默默无闻的安全措施不起作用。 Obscurity is only "one more annoyance" if you want to break, it's like a dark room with valuables inside: the darkness doesn't help, but it's no excuse for not having a lock. 如果你想破坏,朦胧只是“一个更烦恼”,它就像一个里面有贵重物品的黑暗房间:黑暗无济于事,但没有理由没有锁定。 And someone is going to steal something soon, it's just a matter of time. 有人会很快偷东西,这只是时间问题。
解决方案2
1 已采纳 2010-05-13 19:07:28
Your security problem is one of network infrastructure and protocols, not of Android. 您的安全问题是网络基础架构和协议之一,而不是Android。 OAUTH is emerging as a standard way of doing this, and using Google as an example, perhaps a better analog would be access to Google Docs? OAUTH正在成为实现这一目标的标准方式,并以谷歌为例,或许更好的模拟是访问Google Docs?
more here: 更多:
- http://code.google.com/apis/accounts/docs/OAuth.html http://code.google.com/apis/accounts/docs/OAuth.html
- http://oauth.net/code/ http://oauth.net/code/
Actually implementing the handshake, etc could take a bit of work depending on just how secure you'd like to make it. 实际上实现握手等可能需要一些工作,具体取决于你想要的安全性。 Again, this isn't really an "Android thing" so much as it is an architectural challenge first, and once you've made some of those architectural decisions you can actually implement what you've decided to do on Android or anything else. 同样,这不是一个真正的“Android事物”,因为它首先是一个架构挑战,一旦你做出了一些架构决策,你就可以实际实现你决定在Android或其他任何事情上做的事情。
Conceptually, exposing your data through web services and consuming them down the line from your UI is fine. 从概念上讲,通过Web服务公开您的数据并从您的UI中消费它们就可以了。 You've just got to nail down what your security strategy will be, OAuth or otherwise. 您必须确定您的安全策略,OAuth或其他方面。
解决方案3
0 2010-04-26 12:45:22
Native LDAP support for Android could arrive pretty soon( Lots of people want it ) , that could help for security (ie using your Exchange Server to validate different user credentials instead of using one for the app) Android的原生LDAP支持很快就会到来( 很多人都想要它 ),这可能有助于安全性(即使用Exchange Server验证不同的用户凭据而不是使用应用程序的凭据)
In the meantime, it is true that the data might be more accessible than it should. 与此同时,数据可能比它应该更容易访问。 Is it sensitive? 它敏感吗?
解决方案4
0 2010-05-13 20:05:47
You cannot actually connect to a remote DB, especially if it is a MS SQL database (android can only deal with SQLite). 您实际上无法连接到远程数据库,特别是如果它是MS SQL数据库(android只能处理SQLite)。
Your best option, knowing that you want to secure your data, is to build a Java Interface on the server side, who would have access to your database. 您知道要保护数据的最佳选择是在服务器端构建一个可以访问您的数据库的Java接口。
Then, you can do some RMI or you can use sockets to send and receive data (including encrypted data). 然后,您可以执行一些RMI,或者您可以使用套接字来发送和接收数据(包括加密数据)。
解决方案5
0 2010-05-14 08:23:41
Beneath your problem securing the data the things I would do to solve your task would consist of the following steps: 在保护数据的问题下,我将采取的解决任务的方法包括以下步骤:
- Use a json web service to communicate between the mobile device and your db. 使用json Web服务在移动设备和数据库之间进行通信。 A db connection would have to be reestablished every time you access the db because of the flaky network connection of mobile devices. 由于移动设备的网络连接不稳定,每次访问数据库时都必须重新建立数据库连接。 The web service nicely wraps a single question to the db. Web服务很好地将一个问题包装到数据库中。
- Use google gson to parse the json into java data objects to handle them in the app. 使用google gson将json解析为java数据对象,以便在应用程序中处理它们。
- Create a Mapview with your own overlay to display the items on the map. 使用您自己的叠加层创建Mapview ,以在地图上显示项目。
The security thing is a problem I thought about a lot. 安全问题是我想到的很多问题。 If you want to restrict the access to the database you need the app to have some kind of key to authenticate at the web server. 如果要限制对数据库的访问,则需要应用程序在Web服务器上使用某种密钥进行身份验证。 The problem is that somebody could just open up you app and look for this key and then remodel the traffic used in you app. 问题是,有人可能只是打开你的应用程序并查找此密钥,然后重新构建您的应用程序中使用的流量。 You can use the key to do a https connection to your web api this prohibits other from tapping into the network connection but the person owning the phone always can access the key. 您可以使用密钥与您的网络API进行https连接,这禁止其他人接入网络连接,但拥有电话的人始终可以访问该密钥。
You always can make it more difficult for the attacker but you can always fake being a phone app because the auth tokens need to be on the phone. 你总是可以让攻击者变得更加困难,但你总是假装成一个手机应用程序,因为auth令牌需要在手机上。 Some ways to make it more difficult are: 使其变得更加困难的一些方法是:
- encrypt the key inside your application this makes it harder for fast searches inside your class files and easy extraction of the key. 加密应用程序内部的密钥,这使得在类文件中快速搜索和轻松提取密钥变得更加困难。 But is only one more layer of hiding, because the key to decrypt has to be in your app as well. 但是只有一层隐藏,因为解密的密钥也必须在你的应用程序中。
- generate a second key based on the phone data, add a hash of the imei, the phone number etc. The problem is that this data has to be initially registered at the server, therefore it can simply be faked. 根据手机数据生成第二个密钥,添加imei的哈希值,电话号码等。问题是这个数据必须最初在服务器上注册,因此它可以简单地伪造。
If you simply want your data to be secured from harvesting through a bot make the server only respond to request that seem to come from a mobile phone. 如果您只是希望通过机器人获取数据来保护您的数据,那么服务器只会响应似乎来自手机的请求。 Block single IPs that make hundreds of calls to the web service etc. 阻止对Web服务等进行数百次调用的单个IP
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.