保护应用程序中的Web服务
[英]Securing the web service in app
问题描述
I am going to make an application (iOS and Android) that will use a web service that I am developing. 
我将制作一个将使用我正在开发的Web服务的应用程序(iOS和Android)。 I will use HTTPS and SSL so that the data sent from the app to the server is secured. 我将使用HTTPS和SSL,以便保护从应用程序发送到服务器的数据。 However how do I stop (or make the life of people who decompile the app hard) "hackers" from decompiling the source code where the URL is written? 但是,如何停止“黑客”(从反汇编应用程序的人的生活中)“反汇编” URL所在的源代码呢?
I don't want other people to make an application that use my data. 我不希望其他人创建使用我的数据的应用程序。
The users of my app will have to register and login in order to use it. 我的应用程序的用户将必须注册并登录才能使用。 I have read something about authenticating the users and pass a key back (the way Facebook does). 我已经阅读了一些有关对用户进行身份验证并向其传递密钥的方式(Facebook这样做的方式)。 However wouldn't this mean that a "hacker" could sign up and then use the same key? 但是,这是否意味着“黑客”可以注册然后使用相同的密钥? Would you need to track the usage of each key to look for irregular use? 您是否需要跟踪每个密钥的使用情况以查找不规律的使用情况?
The server technology is either Java EE or Scala (Lift). 服务器技术是Java EE或Scala(Lift)。
2 个解决方案
解决方案1
4 已采纳 2012-03-04 11:01:54
First: There is no 100% security for anything you run on a device that is not under your control (like iOS and Android devices in your case). 第一:在不受您控制的设备(例如iOS和Android设备)上运行的任何设备都没有100%的安全性。
You could make "abuse" harder by several measures: 您可以通过以下几种方法使“滥用”更加困难:
- issue a session key after a successfull login with a time-limit so a new login needs to happen after a certain time has passed by 在有时间限制的成功登录后发出会话密钥,因此需要经过一定时间后才能进行新的登录
- issue an interaction key for every communication step which gets invalidated right after one usage 为每个通信步骤发出一个交互密钥,该交互密钥在一次使用后立即失效
- when a successfull login happens terminate any other session associated with the same credentials that might be active before that login 成功登录后,终止与该登录之前可能处于活动状态的相同凭据关联的任何其他会话
- "throttle" usage (might be impossible depending on the specific application) “节流阀”用法(根据特定应用程序可能是不可能的)
IF you really really want to make it very hard you can issue a device-specific client-certificate and use cert-based client authentication (defined in SSL standard) - you can invalidate the cert associated with the device if you see abuse without harm for the legitimate users of other devices... 如果您真的真的想加倍努力,可以发出特定于设备的客户端证书并使用基于证书的客户端身份验证(在SSL标准中定义)-如果看到滥用而对设备无害,则可以使与设备关联的证书无效其他设备的合法用户...
解决方案2
2 2012-03-04 11:00:50
This is more-or-less impossible. 这或多或少是不可能的。 You can use bytecode obfuscation to make decompiling harder, but anyone who tries hard enough can see what the code is doing. 您可以使用字节码混淆处理来提高反编译的难度,但是任何努力的人都可以看到代码在做什么。
If you are allowing access to the data to people that you can't trust, then the only things you can do are to 如果您允许不信任的人访问数据,那么您唯一可以做的就是
- ask nicely (please don't abuse my data) 好问(请不要滥用我的数据)
- authenticate users so you can monitor individual usage, and maybe apply usage or rate limits (like Twitter does) 对用户进行身份验证,以便您可以监视个人使用情况,并可能应用使用情况或速率限制(如Twitter所做的那样)
- make people sign a legal agreement (unlikely to attract many users unless your data/app is very valuable to them!) 使人们签署法律协议(除非您的数据/应用对他们非常有价值,否则不可能吸引许多用户!)
Also consider whether you can do more server-side processing so that less raw data is sent to the client. 还要考虑是否可以执行更多的服务器端处理,以便将更少的原始数据发送到客户端。 I don't know what your data is like, but taking the example of maps, if you send a pre-rendered bitmap rather than some lat/long vector data, then extracting anything useful is much harder work. 我不知道您的数据是什么样的,但是以地图为例,如果您发送一个预渲染的位图而不是一些经/纬度矢量数据,那么提取任何有用的内容将更加困难。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.