Android:在服务器端验证应用程序的完整性 [英] Android: Verifying the application's integrity on the server side
问题描述
我正在编写一个Android应用程序,该应用程序通过HTTPS与服务器应用程序进行通信.在服务器端,我必须绝对确定Android应用程序的完整性.这意味着服务器应用程序需要确保它与我开发的Android应用程序进行通信,而不是与重写的应用程序进行通信(例如,在反编译原始应用程序或对设备进行植根之后).
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
是否可以确保? APK文件的签名是否可能存在?
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
任何提示都值得赞赏.
关于, 彼得
推荐答案
您正试图解决一个已知问题:
You are trying to address a known problem:
-
您永远不能信任开放设备(手机,台式计算机)上的应用程序.为了信任它,它应该是防篡改的.这种设备的一个例子是智能卡.移动设备肯定不是.
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
您永远不要将数据发送到该用户不应看到的设备.这意味着所有业务逻辑必须在服务器上完成.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
所有对服务器的请求都应使用用户的凭据(用户名/密码)进行身份验证,并通过安全协议(HTTPS/SSL)进行.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
这篇关于Android:在服务器端验证应用程序的完整性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!