验证智能手机应用程序(如Android)的不同方法
[英]Different ways to authenticate smartphone application like Android
问题描述
I am looking for different ways to authenticate client like android, iphone, windows and blackberry app and which one is better and why 
我正在寻找对android,iphone,Windows和Blackberry App等客户端进行身份验证的不同方法,哪种方法更好,为什么
As per my research I know of 2 way to authenticate client 1. Private key embedded inside smartphone app which will be used to sign the message : Problem with this is its easy for hacker to get access to private key 2. Client certificate 根据我的研究,我知道两种验证客户端1的方法。嵌入在智能手机应用程序中的私钥将用于对消息进行签名:这是黑客容易获得私钥2的问题。客户端证书
Are there other ways to authenticate these smartphone app and which one is most secured? 还有其他方法可以验证这些智能手机应用程序,哪种方法最安全?
1 个解决方案
解决方案1
0 已采纳
Both of the options you list here are really the same. 您在此处列出的两个选项实际上是相同的。 A client certificate is really just the public key part of a private/public keypair that is signed by some entity along with some identification information. 客户证书实际上只是一个私有/公共密钥对的公共密钥部分,它由某些实体连同一些标识信息一起签名。
The best way to authenticate the client is to use mutually authenticated SSL. 验证客户端的最佳方法是使用相互验证的SSL。 You can use self-signed certificates here so you don't need to buy any from a CA, assuming you control all of the clients that you want to allow access and you control the servers they are going to talk to. 您可以在此处使用自签名证书,因此,假设您控制了要允许访问的所有客户端并控制了与之通信的服务器,则无需从CA购买任何证书。 This will ensure that your clients only receives data from your legitimate server (configure the SSL system for your application to only accept the self-signed certificate that your server is using) and your server only accepts data from your authorized clients (configure your server to only access the self-signed certificates deployed in your app as a resource for client authentication). 这将确保您的客户端仅从合法服务器接收数据(将SSL系统配置为应用程序以仅接受服务器正在使用的自签名证书),并且服务器仅从授权客户端接收数据(将服务器配置为仅访问部署在您的应用中的自签名证书作为客户端身份验证的资源)。 There is a complete step-by-step rundown on how to do this for Android in Application Security for the Android Platform , published by O'Reilly. 由O'Reilly出版的《 Android平台的应用程序安全》中有一个完整的逐步总结,介绍了如何针对Android执行此操作。
You are correct in that you need to embed some secret information (a private key) in your client application and an attacker will be able to compromise it. 您是正确的,因为您需要在客户端应用程序中嵌入一些秘密信息(私钥),并且攻击者将能够对其进行破坏。 The best solution you have within Android right now is to put the certificate and private key in a Keystore that you include in your application APK as a resource and have your application access the Keystore when it needs to use the key. 您目前在Android中拥有的最佳解决方案是将证书和私钥放入作为资源包含在应用程序APK中的密钥库中,并让应用程序在需要使用密钥时访问密钥库。 That means your application will need to have the password to the Keystore. 这意味着您的应用程序将需要具有密钥库的密码。 So, how you protect that password becomes important. 因此,如何保护该密码就变得很重要。 You can obfuscate your code to make it harder for an attacker to determine that password, but that will only slow down a determine attacker who is reverse engineering your application. 您可以混淆代码,使攻击者更难确定该密码,但这只会减慢对应用程序进行反向工程的确定攻击者的速度。 However, short of requiring the user of the device to type that password in every time they want to use your application, that's the best you can do. 但是,除了要求设备用户每次要使用您的应用程序时都键入该密码外,这是您最好的选择。 If your client app that is running on the device needs access to something that it stores, a person with access to that device will be able to access it as well. 如果在设备上运行的客户端应用程序需要访问其存储的内容,则有权访问该设备的人也可以访问它。 All you can do it make it more difficult. 您所能做的使它变得更加困难。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.