APNS 令牌应该加密吗? [英] Should APNS Tokens be encrypted?

问题描述

所以，我想知道，既然用户将他们的 APNS 令牌发送给 APNS 提供商以接收推送通知，令牌是否应该加密?是否需要 SSL?

So, I was wondering, since users send their APNS tokens to the APNS provider in order to receive push notifications, should the tokens be encrypted? Is SSL necessary?

据我所知，令牌中没有真正的敏感数据.如果有人真的设法从用户​​那里嗅探到令牌，他仍然需要获得我的推送证书.如果他设法做到了(他不会;-))他所能做的就是向该特定用户发送垃圾邮件通知.那是对的吗?还是我错过了什么?

From what I figure is that there is no real sensitive data in the token. If someone actually managed to sniff the token from a user, he still would have to obtain my push certificate. And if he managed to do that (he won't ;-)) all he could do is send spam notifications to this particular user. Is that correct? Or did I miss something?

此外，我认为无法根据 APNS 令牌识别设备(或更重要的是，识别其用户)?

Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?

所以，我想保证，如果有人从我的一个客户那里嗅探到推送通知注册(注册包含 APNS 令牌和用户感兴趣的信息，并且连接是未加密的，所以一切都是可读的文本) ...

So, I want to assure that, if someone sniffs a push notification registration from one of my clients (the registration contains the APNS token and the information the user is interested in, and the connection is unencryped so everything is readable in plain text) ...

• 他仍然需要获得我的推送证书才能以任何方式打扰我的客户
• 他知道某人对这些信息感兴趣，但无法确定我的客户是谁

• he still has to obtain my push certificate to be able to bother my client in any way
• he knows that someone is interested in this information, but has no way to identify who my client is

我可以放心吗?提前致谢！

Can I rest assured? Thanks in advance!

推荐答案

SSL 几乎从来都不是坏主意. 缺少 SSL 意味着您的用户将容易受到各种讨厌的事情的影响，例如 DNS 中毒，人在中间，或嗅探.

SSL is almost never a BAD idea. Lack of SSL means your users will be susceptible to all sorts of nastiness like DNS poisoning, man in the middle, or sniffing.

也许您担心 SSL 证书的成本或服务器的开销?我不知道 - 但我只是想说 - 如果您因提供某些服务而获得报酬或正在收集个人身份信息，可能值得考虑.

Maybe you're worried about the cost of an SSL cert, or the overhead on your servers? I don't know - but I'm just sayin' - probably worth considering if you're getting paid to provide some service or are collecting personally identifiable information.

否则，您在帖子中的观点非常正确.事实是有人需要您的推送证书才能将这些消息发送给这些用户.

Otherwise your points in the post were pretty much right on. The fact is someone would need your push certificate to send out those messages to those users.

此外，我认为无法识别设备(或更多重要的是，它的用户)基于 APNS 令牌?

Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?

在 iOS 5 之前，该 ID 在所有应用程序中都是一致的 - 因此汇总统计公司能够使用该 ID 在某种程度上识别特定用户......至少可以知道这是同一个人".但这最近发生了变化，现在是每个应用程序的随机 ID.

Prior to iOS 5, that ID was consistent across all apps - so aggregate stats companies were able to use the ID to identify a specific user somewhat... at least to know "this is the same person". But that changed recently, and it's now a random per-app ID.

这篇关于APNS 令牌应该加密吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！