保护Web服务,因此它只能由特定的Android应用程序调用 [英] Securing a web service so it can only be called by a specific Android application
问题描述
我们有一个只能由特定的Android应用程序被称为Web服务。有什么解决办法是存在这个问题?
We have a web service that should only be called by a specific Android app. What solutions are there for this problem?
要求是不使用身份验证的。
The requirement is to not use authentication at all.
推荐答案
如果这只是你的客户和你的服务器,你可以(也应该)使用SSL,而无需购买任何东西。您可以控制服务器和客户端,所以每个人都应该只相信一个证书,一个属于其他的,你并不需要的CA用于这一目的。
If it's only your client and your server, you can (and should) use SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.
下面是高层次的方法。创建自签名服务器SSL证书,并部署在Web服务器上。您可以使用附带的Android SDK用于此目的的密钥工具。然后创建一个自签署的客户端和部署在自定义密钥库您的应用程序中包含在你的应用程序作为一种资源(密钥工具会产生这个问题,以及)。将服务器配置为要求客户端SSL认证,并只接受你生成的客户端证书。配置客户端使用客户端证书来识别自己和只接受你的服务器的那一部分上安装了一个服务器端证书。
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
一个在这一步一步的是比这里是必要更长的答案。我建议分阶段这样做,因为有关于如何处理与Android的自签名的SSL证书,服务器和客户端在网络上的资源。还有一个完整的步行通过我的书,应用安全为Android平台,由O'Reilly出版
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
(如果你使用的是Android密钥库)你通常存储证书/私钥的sometype。这时候的密钥库和密钥库将被加密。这种加密是基于密码的,所以你要么需要(1)存储密码,在客户端的某个地方,或(2)要求用户输入密码时,他们开始你的客户端应用程序。什么,你需要做的取决于你的用例。如果(2)是可以接受的,那么你保护你的凭证对逆向工程,因为它会被加密,密码不会被存储在任何地方(但用户需要将其在每次输入)。如果你这样做(1),然后会有人能够扭转工程师您的客户,得到密码,得到密钥存储,解密私钥和证书,并创建另一个客户端将能够连接到服务器。
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server.
没有什么可以做,以prevent没有这一点;可以使逆向工程的code更难(通过模糊处理等),但你不能使它不可能。你需要确定你正试图减轻这些方法的风险是多少工作是值得做的,以减轻它。
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.
这篇关于保护Web服务,因此它只能由特定的Android应用程序调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
