如何使用REST API或其他方法保护JSON文件?
[英]How can I Secure a JSON file with REST API or other methods?
问题描述
I've searched everywhere, and found lots of information I cannot comprehend. 
我到处搜索,发现了很多我无法理解的信息。 I'm using a WAMP server and managed to execute a "SELECT name FROM Tablename" query and passed the data to json_encode() . 我正在使用WAMP服务器,并设法执行“ SELECT Name FROM Tablename”查询,并将数据传递给json_encode() 。 I like the results so far, but now I need to protect the JSON file in the server, making it accessible only to users that run my Android app. 到目前为止,我都很喜欢结果,但是现在我需要保护服务器中的JSON文件,使其只能由运行我的Android应用程序的用户访问。
Through my research I found that REST might be a solution for me but I do not understand how I can implement it for my case. 通过研究,我发现REST可能是我的解决方案,但我不了解如何针对我的情况实施它。 Is it possible to have Server-side REST Security, and Client-side as well? 是否可以拥有服务器端REST安全性以及客户端端? I understand that REST is a web service and I read a tutorial where the web service is basically a web page. 我了解REST是Web服务,并且阅读了其中Web服务基本上是网页的教程。 My priorities are server-side json file, security and speed. 我的首要任务是服务器端json文件,安全性和速度。 The user will not be inserting any information via the Android app. 用户将不会通过Android应用插入任何信息。 I was thinking of deploying the Android application with the user and password to the specific json file (verification). 我正在考虑使用用户名和密码将Android应用程序部署到特定的json文件(验证)。
It would be helpful if you can point me to a video tutorial, or a tutorial for beginners, related to the subject. 如果您可以将我带到与该主题相关的视频教程或面向初学者的教程,将对您有所帮助。
Here are my specific questions? 这是我的具体问题?
- Can I parse images with JSON? 我可以使用JSON解析图像吗?
- Is it more efficient to mysqldump --> convert .csv file ---> SQLite? mysqldump->转换.csv文件---> SQLite是否更有效? (Securely). (安全地)。
- How big can a .CSV file get with say 1 million entries in the database? 假设数据库中有100万个条目,.CSV文件有多大?
- How can I accomplish all this? 我该怎么做?
Please help, thanks. 请帮忙,谢谢。
2 个解决方案
解决方案1
0 2012-04-16 01:06:11
Solution: Use HTTP Headers 解决方案:使用HTTP标头
Insecure solution: 不安全的解决方案:
use the User-Agent header. 使用User-Agent标头。
User-Agent: MyAndroidApp/1.0
More secure solution: 更安全的解决方案:
First off, you'll need to use SSL so no one can just easily see your secret key. 首先,您需要使用SSL,因此没有人可以轻易看到您的密钥。
Second, you can put a secret key in the HTTP header of the request you make from the android app: 其次,您可以在您从android应用发出的请求的HTTP标头中放置一个秘密密钥:
X-Android-Secret-Key: fee400be-7d08-45c5-bf7c-ff79c35a838c
You check headers on the server and only serve the file back if the desired header is received. 您在服务器上检查标头,并且仅在收到所需标头时才将文件送回。 You keep the header somewhat secret but not impenetrable with SSL. 您可以将标头保密,但不能让SSL穿透。
解决方案2
0
I'm only going to answer your original question on app authentication. 我只会回答您关于应用程序身份验证的原始问题。 Your other questions belong as separate questions. 您的其他问题属于单独的问题。
If it's only your client and your server, you can (and should) use mutually-authenticated SSL without purchasing anything. 如果仅是您的客户端和服务器,则可以(并且应该)使用相互认证的SSL,而无需购买任何东西。 You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose. 您可以控制服务器和客户端,因此每个服务器都应该只信任一个证书,一个证书属于另一个证书,因此您不需要CA。
Here's the high-level approach. 这是高级方法。 Create a self-signed server SSL certificate and deploy on your web server. 创建一个自签名服务器SSL证书并部署在您的Web服务器上。 You can use the keytool included with the Android SDK for this purpose. 为此,您可以使用Android SDK随附的keytool。 Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). 然后创建一个自签名客户端,并将其部署在应用程序中的自定义密钥存储区中作为资源(keytool也会生成此资源)。 Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. 配置服务器以要求客户端SSL身份验证,并仅接受您生成的客户端证书。 Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it. 将客户端配置为使用该客户端证书来标识自己,并仅接受服务器上为该部分安装的一个服务器端证书。
A step-by-step for this is a much longer answer than is warranted here. 逐步解决这个问题要比在此保证的更长。 I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. 我建议分阶段进行此操作,因为网络上有关于如何在服务器端和客户端使用Android中的自签名SSL证书的资源。 There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly. O'Reilly出版的《 Android平台的应用程序安全性》一书也有完整的演练。
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. 通常,您会将证书/私钥存储在某种类型的密钥库中(如果使用的是Android,则为KeyStore),并且该密钥库将被加密。 That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. 该加密基于密码,因此您需要(1)将该密码存储在客户端的某个位置,或者(2)在用户启动客户端应用程序时向用户询问密码。 What you need to do depends on your usecase. 您需要做什么取决于您的用例。 If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). 如果(2)是可接受的,则说明您的凭据不受逆向工程的保护,因为它将被加密并且密码不会存储在任何位置(但是用户每次都需要输入密码)。 If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server. 如果您执行(1),则有人将能够对客户端进行反向工程,获取密码,获取密钥库,解密私钥和证书,并创建另一个能够连接到服务器的客户端。
There is nothing you can do to prevent this; 您无法采取任何措施来防止这种情况; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. 您可以使代码的逆向工程变得更加困难(通过混淆等),但是您无法使其变得不可能。 You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it. 您需要确定使用这些方法可减轻的风险是什么,以及减轻该风险需要进行多少工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.