本机应用程序直接对话分贝 [英] native app talking directly to db

问题描述

我在做iOS​​应用程序，以ElasticSearch为分贝。由于ES公开了一个HTTP API，在技术上，我可以在客户端直接与数据库不通过应用服务器的路由吧。我永远不会做这在Javascript中，因为用户可以查看源和看到的凭据。由于IOS / Android应用程序被编译和用户不能查看其源$ C ​​$ C，它是安全直接有聊应用到数据库还是有什么其他问题？

I'm making an ios app, with ElasticSearch as the db. Since ES exposes an http api, technically I can have the client talk directly to the db without routing it through an app server. I would never do this in Javascript, since the user can view the source and see the credentials. Since ios/android apps are compiled and users can't view their source code, is it safe to have the app talk directly to the db or are there any other concerns?

推荐答案

通过默默无闻的安全（通过隐藏在JavaScript中没有他们的API调用）从来都不是答案。什么是从刚刚通过嗅探或Wireshark的其他同类软件的流量，然后绘制你的API这种方式阻止别人？

Security via obscurity (hiding the API calls by not having them in JavaScript) is never the answer. What's to stop somebody from just sniffing the traffic via WireShark or other similar software and then mapping your API that way?

您永远不应该让你的Elasticsearch安装看到外面的世界，ES是围绕搜索而建，而不是安全。

You should never make your Elasticsearch installation visible to the outside world, ES is built around search, not security.

您就必须建立与一些认证出炉，如果你想正确，牢固地做到这一点的包装。造成这种情况的主要原因是（你甚至自己说的）Elasticsearch是一个数据库，有种的，你就不会去让你的数据库的公共现在面临的将你。

You'll have to build a wrapper with some baked in authentication if you want to do it properly and securely. The main reason for this is that (you even said it yourself) Elasticsearch is a database, kind of, and you wouldn't go making your database public facing now would you.

作为一个方面说明，有 https://github.com/sonian/elasticsearch-jetty但我从来没有使用过它，因此无法推荐它。我会坚持与包装...

As a side note, there is https://github.com/sonian/elasticsearch-jetty but I've never used it and so couldn't recommend it. I'd stick with the wrapper...

这篇关于本机应用程序直接对话分贝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！