为什么在移动应用程序和后端 api 之间的每个请求中发送用户名和密码是一个坏主意? [英] Why is it a bad idea to send username and password with every request between mobile app and backend api?
问题描述
我最近一直在查看本应是安全 iPhone 应用程序的流量,用于执行与工作相关的任务,并且我注意到该应用程序在与后端.每个请求都包含用户名、密码和设备 ID,所有流量都通过 https 发送.这是一个restful api,所以没有状态服务器端.
I've been looking at the traffic from what is supposed to be a secure iPhone app for a work related task recently, and I've noticed that the app does not use any form for session id / token when talking to the backend. Every request contains the username, password and the device id, and all traffic is sent over https. It's a restful api, so there is no state server side.
我真的觉得这是一个坏主意,但我想不出太多好的理由来说明原因.
I really feel that this is a bad idea, but i cant come up with too many good arguments for why.
如果您是中间人攻击的受害者,在大多数情况下,攻击者可以在您登录时找到您的密码,因为无论如何都需要将用户名和密码发送到服务器以获取会话 ID/令牌.
If you are the victim of a man in the middle attack, the attacker can in most cases find your password when you log in, as the username and password needs to be sent to the server to obtain the session id / token anyways.
更好的方法可能是发送用户名、时间戳以及时间戳和密码的哈希值.如果时间戳是 x 秒,那么该服务器会丢弃请求,并且明文密码不必通过网络发送.
A better approach might be to send username, a timestamp and hash of timestamp and password. This server then drops the request if the timestamp is x seconds old, and the cleartext password does not have to be sent over the wire.
但是,我看过的大多数应用程序(使用 oath 等的应用程序除外)只是以明文形式(通过 https)发送用户名和密码以获取令牌.每次启动应用程序时都会发生这种情况(用户名和密码都存储在应用程序数据中).
However, most apps i've looked at (except those who use oath and so on) just send username and password in in cleartext (over https) to obtain a token. this happens every time you start the application (both username and password are stored within the app data).
正如主题所说,如果使用 https,为什么将用户名和密码与从移动/网络应用程序的每个请求发送到后端 api 是一个坏主意?
As the topic says, why is it a bad idea to send username and password with every request from a mobile/web app to the backend api, if https is used?
推荐答案
嗯,你自己说了算.您必须将用户名和密码存储在设备本身上.存储这些凭据的安全性如何?安装在设备上的恶意应用程序是否能够检索凭据?如果流氓应用程序与有效应用程序在同一帐户下运行,则它可能可以.即使您将这些凭据加密存储,您也必须将机密存储在设备本身上.
Well, you stated it yourself. You have to store the username and password on the device itself. How secure are those credentials stored? Would a rogue application installed on the device be able to retrieve the credentials? If the rogue application is running under the same account as the valid application, it probably can. Even if you store those credentials encrypted, you'd have to store the secret on the device itself.
此外,移动设备丢失/被盗的可能性要高得多,从而使攻击者可以访问设备本身.
Also, mobile devices have a much higher likelihood of being lost/stolen, giving an attacker access to the device itself.
另一个原因是每次都发送用户名和密码会增加攻击面.它将为攻击者提供更多具有恒定数据的消息来尝试解密.
Another reason is that sending the username and password every time, increases the attack surface. It will give an attacker more messages with constant data to try to decrypt.
最后,如果正确实施,验证密码应该相对较慢,这使得 API 身份验证不太理想.
Finally, verifying passwords, when implemented correctly should be relatively slow, making it less desirable for API authentication.
OAuth 2.0 等协议使用有效期有限的访问令牌,您必须有权访问刷新令牌才能获得新的访问令牌.如果设备丢失或被盗,可以轻松撤销刷新令牌.
Protocols like OAuth 2.0 work with access tokens that are valid a limited time and you'd have to have access to the refresh token to get a new access token. Refresh tokens can be easily revoked in case the device is lost or stolen.
这篇关于为什么在移动应用程序和后端 api 之间的每个请求中发送用户名和密码是一个坏主意?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
