使用Android设备通过REST API保护身份验证?
[英]Securing authentication through a REST API with an Android device?
问题描述
I'm sketching out a solution where an Android app connects to a REST API on the web. 
我正在草拟一个Android应用程序连接到Web上的REST API的解决方案。 Users should be able to create a profile, and then perform certain requests on that profile (change name, email etc.). 用户应该能够创建配置文件,然后在该配置文件上执行某些请求(更改名称,电子邮件等)。 Searching around for similar questions yielded a recommendation for a private/public key solution from a good portion of the answers. 搜索类似的问题,从大部分答案中得出私有/公钥解决方案的建议。
This guy explains the procedure very well: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ 这个人很好地解释了这个程序: http : //www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
This procedure depends entirely on the prerequisite that the private key is indeed private. 此过程完全取决于私钥确实是私有的先决条件。 And I didn't find any answers that address this. 我没有找到解决这个问题的任何答案。 But if the server and client has to have the same private key, then it would have to have been transferred between both parties at some point, which would inevitably expose it to somebody watching the traffic. 但是,如果服务器和客户端必须具有相同的私钥,那么它必须在某个时刻在双方之间进行转移,这将不可避免地将其暴露给观看流量的人。 So is there a secure way to establish the same private key between both parties? 那么在双方之间建立相同的私钥是否有安全的方法?
Another question, when the client obtains the private key (securely), how should it be stored? 另一个问题,当客户端(安全地)获取私钥时,应该如何存储? Is something like Shared Preferences secure enough? 共享首选项之类的东西足够安全吗? My concerns are that somebody with rooted access could access this easily. 我担心的是,具有root权限的人可以轻松访问它。
1 个解决方案
解决方案1
2 2012-02-20 14:38:42
只需使用TLS建立安全连接即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.