如何使使用UDID或设备令牌安全登录? [英] How to make a secure login using UDID or device token?
问题描述
所以我在做一个应用程序,我希望用户能够添加,编辑和利率的内容,但我并不想强迫他们登记。相反,我打算只使用他们的设备ID或设备令牌来识别它们。我打算做既是iPhone和Android版本,所以我在寻找一个通用的解决方案,但iPhone版具有更高的优先级,所以一个iPhone具体的解决方案也将受到欢迎。
So I'm making an app where I want the users to be able add, edit and rate content, but I do not want to force them to register. Instead I was planning on just using their device id or device token to identify them. I'm planning on making both an iPhone and Android version, so I'm looking for a general solution, but the iPhone version has higher priority, so an iPhone specific solution would also be welcome.
现在的问题是,我不希望任何人能够通过发送一个虚假的设备ID或别人的设备ID使用我的Web服务。
The problem is that I don't want just anyone to be able to use my web service by sending a phony device id or someone else's device id.
如何将客户端证明它提供了正确的设备ID服务器?
How would the client prove to the server that it is providing the correct device id?
推荐答案
在理论上,你不能。甲设备ID,没有特别的秘密,并在大多数情况下,它很容易被欺骗。至于Android的,有这个操作系统上没有可靠的设备ID在所有 - 看到血淋淋的细节在这里:的是否有独特的Android设备的ID?
In theory, you cannot. A device ID is not particularly secret, and in most cases, it can be easily spoofed. As for Android, there's no reliable device ID on that OS at all - see the gory details here: Is there a unique Android device ID?
你所能依靠的安全通过隐藏 - 希望没有人会来确定足够的反向工程,code和分析认证协议。而没有披露code是不是一种选择 - 您正在分发的应用毕竟
All you can rely upon is security by obscurity - hoping that no one will be determined enough to reverse-engineer the code and analyse the authentication protocol. And not disclosing the code is not an option - you are distributing the app after all.
这是说,人们不-特别安全的身份验证方法是 - 将设备ID和设备ID的散列连接在一起秘密,硬codeD上的客户端code字符串。该服务将包含相同字符串的副本,重新计算哈希(使用附带的设备ID),并匹配哈希值。通过协议分析,只有通过挖掘在code字符串不易碎。易受虽然重放攻击。
That said, one not-particularly-secure auth method would be - send the device ID and a hash of device ID concatenated with a secret, hard-coded in the client code string. The service would contain a copy of the same string, recalculate the hash (using the device ID provided) and match the hashes. Not breakable by protocol analysis, only by digging in the code for the string. Vulnerable to replay attacks though.
有关更强大的解决方案,验证用户身份,而不是设备。这是到你的客户,并依赖于业务的特性。
For a stronger solution, authenticate users, not devices. This is up to your customers, and depends on the nature of the business.
这篇关于如何使使用UDID或设备令牌安全登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
