亚马逊SimpeDB - 应用 - 数据保护 [英] Amazon SimpeDB - apps - data protection
问题描述
我一直在用自己的iOS / Android客户端库使用AWS(亚马逊Web服务),特别是SimpleDB中的一对夫妇的智能手机应用程序。
I have been using AWS (Amazon Web services) and in particular simpleDB for a couple of smartphone apps using their iOS/android client libraries.
到目前为止,该数据是非常良性的,所以我没有太担心数据保护。
So far, the data was very benign so I didn't worry too much about data protection.
我的下一个应用项目将需要包含用户名和密码的用户表/域。
My next app project will require a "users" table/domain containing usernames and passwords.
我很担心的是,有人反向工程应用的Android的Java版本,那么将很容易得到所有的SimpleDB的数据,包括所有的密码。
What I'm worried about is that someone reverse-engineer the Android java version of the app, then it will be easy to get all the simpleDB data, including all the passwords.
基本TVM事情(令牌自动贩卖机,其中一个临时令牌替换AWS凭据而不是在code)似乎并没有防止这种情况所以这将是伟大的,听到的人认为是推荐的方法做使用AWS应用程序的登录部分而不完全是不安全的。
the basic TVM thing (Token Vending Machine, where a temporary token replaces the AWS credentials which are not in the code) doesn't seem to protect against that scenario so it would be great to hear what people think is the recommended approach to do the login part of the app using AWS without being completely unsafe.
已经存储在密码表别处/以不同的方式访问?
Having the passwords table stored somewhere else/accessed in a different way?
任何意见AP preciated,非常感谢。
Any comment appreciated, Many Thanks.
推荐答案
我可以建议你两种方法,让您的应用程序保护 -
I can suggest you two approaches to keep your app protected -
1的方法:
您可以在您的应用程序将使用专用密钥进行加密保存您的AWS密钥到一个文件。在启动时,你的code将使用公钥读取该文件,并只能得到您的AWS的密钥。请在这种方法请记住以下几点 -
You can keep your AWS secret key into a file with in your app that will be encrypted using private key. On start-up, your code will read that file using public key and can only get your AWS secret key. Please remember following points in this approach -
- 您$ C $ C必须进行模糊处理。
- 您的密钥必须以加密的形式进入该文件,因此你会得到双重保障。
- 您的文件必须经过数字签名。
第二个方法:
您也可以创建自己的网站,将管理用户身份验证,如果用户成功通过验证它会发送AWS秘密密钥与私人密钥后,加密之后,在他的应用程序响应和您的应用程序将使用AWS的秘密用公钥解密后的关键。请记住下面这种方法的要点 -
1.您的反应必须以加密的形式返回。
2.你的网站必须是安全的,并且必须在HTTPS运行。
3.您code必须进行模糊处理。
You can also create your own web site that will manage your user authentications and if user is successfully authenticated it will send AWS Secret key after encrypted it with private key, in his response to the app and your app will use that AWS Secret key after decrypting it with public key. Please remember following points in this approach - 1. Your response must be returned in encrypted form. 2. You site must be secure and must run on HTTPS. 3. Your code must be obfuscated.
这篇关于亚马逊SimpeDB - 应用 - 数据保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
