iOS的:有没有一种安全的方式,包括在code API密钥? [英] iOS: Is there a safe way to include an API key in the code?
问题描述
亚马逊有一个AWS SDK为iOS,随着几个示例应用。在他们的样品,他们把API证书在 Constants.h 文件:
Amazon has an AWS SDK for iOS, along with several sample apps. In their samples, they put the API credentials in a Constants.h file:
// Constants used to represent your AWS Credentials.
#define ACCESS_KEY_ID @"CHANGE ME"
#define SECRET_KEY @"CHANGE ME"
我担心的是,这些可以通过一个意志坚定的黑客提取。有没有什么办法可以安全地包括API密钥中的应用程序?
My concern is that these can be extracted by a determined hacker. Is there any way to securely include API keys in an app?
在一个选择我所看到的是,包括我自己的服务器作为中间人:应用程序会谈到我的服务器,我的服务器会谈到S3。我可以看到这样做的价值,但一个是仍然$ psented的问题P $:我允许应用没有任何形式的认证,使我的服务器上的API调用?包括在应用程序自己的API密钥有同样的问题为包括AWS的API密钥。
The one option I've seen is to include a server of my own as a go-between: the app talks to my server, my server talks to S3. I can see the value in doing this, but one is still presented with the problem: do I allow the app to make API calls on my server without any kind of authentication? Including my own API key in the app has the same problem as including AWS API keys.
推荐答案
有几个凭证管理选项,以帮助您避免在您的应用程序中嵌入的凭据。首先是网络身份联合,它允许用户登录与Facebook,谷歌,或登录亚马逊的应用程序。另一种选择是使用令牌自动贩卖机,这是分配临时凭证到你的应用服务器组件。
There are a couple of credential management options to help you avoid embedding credentials in your app. The first is Web Identity Federation, which allows users to log in to your app with Facebook, Google, or Login With Amazon. Another option is to use a Token Vending Machine, which is a server component that distributes temporary credentials to your app.
有一个高层次的概述与指针的AWS移动开发博客的相关文件和code样品:的http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation
There is a high-level overview with pointers to the relevant documentation and code samples on the AWS Mobile Development Blog: http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation
这篇关于iOS的:有没有一种安全的方式,包括在code API密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
