保护 Web-API 访问 [英] Securing web-API access
问题描述
我有一个可通过 HTTP 访问的简单 Web-API,其中包含一些读取该数据的相应移动应用程序.现在有人反编译了一个应用程序/嗅探了 HTTP 流量,获取了我的 Web API 的 URL 并构建了他自己的客户端,就像我的客户端一样.
I have a simple web-API accessible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to my web API and built his own client acting like one of mine.
我如何才能确保只有我自己的客户才能访问我的 API?即使想到有人反编译我的应用程序.
How can I secure the access to my API only for my own clients? Even with the thought of someone decompiling my app.
服务器&客户端代码更改是一种选择!
Server & client-side code change is an option!
推荐答案
服务器&客户端代码更改是一个选项!
Server & client-side code change is an option!
首先,你不能完全阻止它(没有法律行动:).使用 SSL/TLS,这将有助于嗅探的可能性.
First, you can't prevent it completely (without legal action :). Use SSL/TLS, that will help with the sniffing posibility.
如果应用程序是直接从您的服务器(而不是通过应用程序商店/第三方)下载的,您可以对其进行更多保护.当用户下载应用程序时,请确保用户已通过身份验证,生成一个密钥,将其包含在应用程序中,并在与该用户的所有进一步通信中使用它.黑客/小偷可以模仿,但他们需要通过他们的服务器来模拟登录和下载您的应用程序 - 您可以找到并阻止它.
If the app is downloaded directly from your server (not through an app store/third party) you can secure it a bit more. When a user downloads the application make sure the user is authenticated, generate a key, include it in the application and use it in all further communication with that user. The hacker/thief can mimic that, but they'll need to go through their server to simulate a login and download of your application -- you can find and block that.
这篇关于保护 Web-API 访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!