如何保护web服务,这样只有我的Android应用程序可以使用我的web服务 [英] How to secure webservice so that only my android app can use my webservice
问题描述
我们已经建立一个Android应用程序,POST HTTP请求从机器人到我的PHP server.In响应Web服务发送JSON对象到Android应用程序,以显示结果。
We have built an android app that POST HTTP Request from Android to my PHP server.In response the webservice sends JSON object to android app to show results.
像服务之一,是像
http://mydomain.com/test/weather.php?lat=13.4332&long=80.454
因为我不是专家的Android所以要处理从PHP Web服务端的安全性。
Since I am not expert in android so want to handle the security for webservice from PHP end.
如何保护我的web服务调用,这样只有我的应用程序可以使用我的web服务。我不想,如果有人解密APK并获得web服务的URL,并使用后自定义输出中的数据。
How can I secure my webservice call so that only my app can use my webservice. I dont want if someone decrypt the apk and get the webservice URL and use it after customize the ouput data.
我怎样才能做到这一点?请为我提供任何很好的例子。
How can I achieve this? Please provide me any good example.
推荐答案
如果你有能力,你应该实现在应用程序中使用HTTPS,这可以解决许多安全问题。 创建自签名服务器的SSL证书和部署Web服务器的密钥工具在Android SDK用于此目的的。然后创建一个自签署的客户端和部署在自定义密钥库您的应用程序中包含在你的应用程序作为一种资源(密钥工具会产生这个问题,以及)。将服务器配置为要求客户端SSL认证,并只接受你生成的客户端证书。 奥莱利:应用安全为Android平台 要么 如果这只是你的客户和你的服务器,你可以(也应该)使用SSL,而无需购买任何东西。您可以控制服务器和客户端,所以每个人都应该只相信一个证书,一个属于其他的,你并不需要的CA这purpose.PHP可以通过POST接收数据或走出你的网站,甚至在互联网浏览器。一种用于执行此方法是由卷曲。 您必须验证由POST接收到的信息或与你的PHP,这种语言已经到了解决这些毛病太多的能力;看看这部分PHP官方文档。
If you are able, you should implement the use of HTTPS in your app and this could solve many security problems. Create a self-signed server SSL certificate and deploy on your web server with the keytool in the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. oReilly : Application Security for the Android Platform or If it's only your client and your server, you can (and should) use SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.PHP can receive data via POST or GET out of your site and even the internet browser. One of the methods used to do this is by curl. You must verify the information received by POST or GET in your PHP, this language has much ability to solve these "problems"; Take a look at this part of the PHP official documentation.
假设你正在构建一个登录系统:您也可以在登录页位置添加一个隐藏的元素与秘密的独特code,可以happend只有一次,保存这个秘密code。在会议上,如此,登录电子剧本的样子在会议上为这个code,有什么被张贴到脚本相比,同样也要继续。
Suppose you're building a login system: Also you can add in the login page place a hidden element with secret unique code that can happend only once, save this secret code in session, so, the loging script look in session for this code, compare with what was posted to the script, should same to proceed.
而且,如果你想获得您的访问者的IP地址:
And, if you want to get the IP address of your visitors:
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
您希望要在这里查找:<一href="http://security.stackexchange.com/questions/31024/encrypt-data-within-mobile-app-and-send-to-web-service">Encrypt在移动应用程序的数据和发送到Web服务和<一href="http://security.stackexchange.com/questions/30850/web-services-how-$p$pvent-illegal-accesses">Web服务:如何prevent非法访问
you want want to look up here: Encrypt data within mobile app and send to web service and Web services: how prevent illegal accesses
这篇关于如何保护web服务,这样只有我的Android应用程序可以使用我的web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
