保护 Web-API 访问 [英] Securing web-API access

问题描述

我有一个可通过 HTTP 访问的简单 Web-API，其中包含一些读取该数据的相应移动应用程序.现在有人反编译了一个应用程序/嗅探了 HTTP 流量，获取了我的 Web API 的 URL 并构建了他自己的客户端，就像我的客户端一样.

I have a simple web-API accessible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to my web API and built his own client acting like one of mine.

我如何才能确保只有我自己的客户才能访问我的 API?即使想到有人反编译我的应用程序.

How can I secure the access to my API only for my own clients? Even with the thought of someone decompiling my app.

服务器&客户端代码更改是一种选择！

Server & client-side code change is an option!

推荐答案

服务器&客户端代码更改是一个选项！

Server & client-side code change is an option!

首先，你不能完全阻止它(没有法律行动:).使用 SSL/TLS，这将有助于嗅探的可能性.

First, you can't prevent it completely (without legal action :). Use SSL/TLS, that will help with the sniffing posibility.

如果应用程序是直接从您的服务器(而不是通过应用程序商店/第三方)下载的，您可以对其进行更多保护.当用户下载应用程序时，请确保用户已通过身份验证，生成一个密钥，将其包含在应用程序中，并在与该用户的所有进一步通信中使用它.黑客/小偷可以模仿，但他们需要通过他们的服务器来模拟登录和下载您的应用程序 - 您可以找到并阻止它.

If the app is downloaded directly from your server (not through an app store/third party) you can secure it a bit more. When a user downloads the application make sure the user is authenticated, generate a key, include it in the application and use it in all further communication with that user. The hacker/thief can mimic that, but they'll need to go through their server to simulate a login and download of your application -- you can find and block that.

这篇关于保护 Web-API 访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！