如何控制对服务器端数据的访问？ [英] How do I control access to my server-side data?

问题描述

我创建了一个iPhone应用程序，它在XML文件中获取服务器上保存的数据。如何检查数据的请求是从我的应用程序，而不是从其他来源，如另一个iPhone应用程序或桌面浏览器，因为目前你可以跟踪您的LAN上的Wireshark的iPhone请求，然后使用捕获的URL以在桌面浏览器中加载数据。我想我需要通过PHP或某事提供文件，并使用某种用户代理验证或挑战 - 响应序列。如果有人可以提供代码示例，我会很感激。

I have created an iPhone application which fetches data held on a server in an XML file. How do I check that the request for the data is coming from my app and not from some other source such as another iPhone app or a desktop browser since currently you could just trace the iPhone request on your LAN with Wireshark and then use the captured URL to load the data in a desktop browser. I'm thinking I'm going to need to serve the file via PHP or something and use some sort of User Agent validation or a challenge-response sequence. If someone could provide a code sample I'd appreciate it.

推荐答案

但你确实可以使它更难。

Short answer: You can't. But you can indeed make it harder.

无论你做什么，都可以绕过它 - 用户代理验证是非常容易规避;挑战 - 反应将需要反汇编你的应用程序，但它仍然可能。

Whatever you do, it will be possible to circumvent it - user agent validation is extremely easy to circumvent; challenge-response will require disassembling of your app, but it's still possible.

然而，所有你好的保护将无助于网络嗅探。除非你也加密转移，有人可以简单地嗅闻明文数据，而不是打破你的保护。

However, all your nice protections won't help against network sniffing. Unless you also encrypt the transfer someone can simply sniff the plaintext data instead of breaking your "protection".

问题不应该是我如何保护它，而是为什么有人想得到原始数据？为什么他不应该得到它？

IMO the main question shouldn't be "How do I protect it" but rather "Why would somebody want to get the raw data? Why shouldn't he get it?"

这篇关于如何控制对服务器端数据的访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！