在客户端(JavaScript中,Android版,iOS版等)保护API密钥 [英] Securing API Keys on clients (JavaScript, Android, iOS, etc.)
问题描述
我的工作与包括建设基于该请求的方法,URL,参数,可以公开的API密钥和连接由私人API密钥codeD字符串的自定义授权方法的API为中心的Web应用程序。这工作得很好,在服务器端,而客户端上的私有API密钥(和授权法)将是脆弱的。我花了最后一个小时左右,看好确保这一API密钥和我能找到的最好的方法的好办法是通过我的服务器代理,但我仍然不能100%肯定这一点。
I am working on an API-centric web application with a custom authorization method that consists of building a string based off of the request method, URL, params, public API key and encoded by a private API key. This works fine on the server side, but on client side the private API key (and authorization method) will be vulnerable. I've spent the last hour or so looking on a good way to secure this API key and the best method I could find is by proxying through my server, but I am still not sure 100% on this.
首先,我应该担心吗?我要让安全在我的Web应用中的优先事项,但任何将处理修改用户的帐号将需要一个临时的,加密令牌授权请求(除了HMAC哈希值)。
First of all, should I be worried? I want to make security a priority in my web application, but anything that will deal with modifying a user's account will need a temporary, encrypted token to authorize the request (in addition to the HMAC hash).
我从代理的理解是,你会做你的服务器发出请求,然后将用私钥加密,并返回information..but如何将服务器验证请求从源想出了一个有效的API密钥?
My understanding from proxying was that you would make a request to your server, which would then encrypt with the private key and return the information..but how would the server validate that the request came from a source with a valid API key?
任何人都可以提供任何见解,以我应该做些什么?我觉得这可能是任何客户端code包括JavaScript,的iOS和Android的一个漏洞。
Can anyone provide any insight as to what I should do? I feel like this could potentially be a vulnerability for any client-side code including JavaScript, iOS, and Android.
推荐答案
您可以永远不要相信客户端。即使你混淆,有人仍然可以找到答案。例如,对手可能会反向工程模糊算法,看设备存储器,甚至捕捉到什么线路上的传输。
You can never trust the client. Even if you obfuscate, someone could still figure it out. For example, an adversary could reverse-engineer the obfuscation algorithm, look at the device memory, or even capture what's sent over the wire.
不过,您仍然可以通过在服务器端执行安全做出安全的应用程序。例如,用户应该需要为了成功地使特权API请求进行认证。
However, you can still make a secure app by enforcing security on the server side. For example, users should need to be authenticated in order to successfully make privileged API requests.
此外,您还可以在服务器端执行API的使用,无论是输入验证,速率限制,或IP地址跟踪。
Also, you can enforce API usage on the server side, whether by input validation, rate limiting, or IP address tracking.
这篇关于在客户端(JavaScript中,Android版,iOS版等)保护API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
