如何确认目前正在从应用程序,服务器调用? [英] How to verify that server calls are being made from the app?
问题描述
我有一个Android应用程序,需要频繁地连接到服务器以检索或添加数据库中的敏感数据。我需要验证正在进行,其中从应用程序中调用服务器,所以我用这个办法:<一href="http://stackoverflow.com/questions/6082240/how-to-verify-the-identity-of-the-client-from-the-server">how验证客户端从服务器的身份?其中包括在应用程序中的硬codeD字符串键在服务器验证。 但后来我意识到,有特别喜欢dex2jar的工具,这将显示所有我的code(即使有来自ProGuard的一些混淆),这个又硬codeD密钥。
I have an android app that needs to connect frequently to the server to retrive or add in the database sensible data. I needed to verify that the calls to the server where being made from the app so I used this approach: how to verify the identity of the client from the server? which consists in a hardcoded string key in the app that's verified in the server. But then I realized that there were tools like dex2jar, that would reveal all my code (Even with some obfuscation from proguard) in particular this hardcoded key.
有没有更优雅,更安全的方式来验证服务器的呼叫正在从我的应用程序?
Is there any more elegant and safe way to verify that the server calls are being made from my app?
PS:我很抱歉的英语,显然我不是母语的人。
PS: I'm sorry for the English, clearly I'm not a native speaker.
推荐答案
如果它无需购买任何东西只有你的客户端和服务器,您可以(也应该)使用相互认证的SSL。您可以控制服务器和客户端,所以每个人都应该只相信一个证书,一个属于其他的,你并不需要的CA用于这一目的。
If it's only your client and your server, you can (and should) use mutually-authenticated SSL without purchasing anything. You control the server and the client, so each should only trust one certificate, the one belonging to the other and you don't need CAs for this purpose.
下面是高层次的方法。创建自签名服务器SSL证书,并部署在Web服务器上。您可以使用附带的Android SDK用于此目的的密钥工具。然后创建一个自签署的客户端和部署在自定义密钥库您的应用程序中包含在你的应用程序作为一种资源(密钥工具会产生这个问题,以及)。将服务器配置为要求客户端SSL认证,并只接受你生成的客户端证书。配置客户端使用客户端证书来识别自己和只接受你的服务器的那一部分上安装了一个服务器端证书。
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
一个在这一步一步的是比这里是必要更长的答案。我建议分阶段这样做,因为有关于如何处理与Android的自签名的SSL证书,服务器和客户端在网络上的资源。还有一个完整的步行通过我的书,应用程序安全性的Android平台,由O'Reilly出版。
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
(如果你使用的是Android密钥库)你通常存储证书/私钥的sometype。这时候的密钥库和密钥库将被加密。这种加密是基于密码的,所以你要么需要(1)存储密码,在客户端的某个地方,或(2)要求用户输入密码时,他们开始你的客户端应用程序。什么,你需要做的取决于你的用例。如果(2)是可以接受的,那么你保护你的凭证对逆向工程,因为它会被加密,密码不会被存储在任何地方(但用户需要将其在每次输入)。如果你这样做(1),然后会有人能够扭转工程师您的客户,得到密码,得到密钥存储,解密私钥和证书,并创建另一个客户端将能够连接到服务器。
You'll normally store that certificate/private-key in a keystore of sometype (a KeyStore if you're using Android) and that keystore will be encrypted. That encryption is based on a password, so you'll either need to (1) store that password in your client somewhere, or (2) ask the user for the password when they start your client app. What you need to do depends on your usecase. If (2) is acceptable, then you've protected your credential against reverse engineering since it will be encrypted and the password will not be stored anywhere (but the user will need to type it in everytime). If you do (1), then someone will be able to reverse engineer your client, get the password, get the keystore, decrypt the private key and certificate, and create another client that will be able to connect to the server.
没有什么可以做,以prevent没有这一点;可以使逆向工程的code更难(通过模糊处理等),但你不能使它不可能。你需要确定你正试图减轻这些方法的风险是多少工作是值得做的,以减轻它。
There is nothing you can do to prevent this; you can make reverse engineering your code harder (by obfuscation, etc) but you cannot make it impossible. You need to determine what the risk you are trying to mitigate with these approaches is and how much work is worth doing to mitigate it.
这篇关于如何确认目前正在从应用程序,服务器调用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
