验证HTML5应用包裹的PhoneGap（或同等学历） [英] Authenticate HTML5 application wrapped with Phonegap (or equivalent)

问题描述

有没有一种方法，使用JavaScript只（客户端），以确保一个HTTP请求实际上是从我的PhoneGap的应用程序来吗？结果
请注意：我说的不是验证的用户的，相反，在一定意义上，有关身份验证的应用程序本身的。没有（且不能是）任何与此相关的类型的用户互动。结果
甚至没有谈论通信保密性（我不使用HTTPS和有效载荷未加密）。

我的猜测是，到了最后，这不可避免地需要某种的硬件codeD密钥的。结果
问题是，你可以，例如这里看，这样的关键是平时几乎任何人都可以访问 - 而这个问题出现不仅使用Javascript资产，而且还与Java在Android中。

如果没办法用的PhoneGap或任何科尔多瓦插件，你可以建议同等框架（或环境下，如Icenium），可以使这件事情可能吗？结果
或者说，最后，会不会有任何的真正的在不采取这个precaution对上述情况的风险？

Is there a way, using JavaScript only (client side), to ensure that an HTTP request is actually coming from my Phonegap application?
Be aware: I'm not talking about authenticating the user, rather, in a sense, about authenticating the app itself. There isn't (and mustn't be) any kind of user interaction related to this.
Not even talking about confidentiality of the communication (I'm not using HTTPS and the payload is not encrypted).

My guess is, in the end, this inevitably requires some sort of hard-coded key.
The problem is, as you can see for example here, such a key would be usually accessible by almost anyone - and this problem comes up not only with Javascript assets, but also with Java in Android.

If no way with Phonegap or any Cordova plugin, could you suggest an equivalent framework (or environment like Icenium) that could make this thing possible?
Or, at last, would there be any real risk in not taking this precaution for the aforesaid scenario?

编辑：库尔特·杜波依斯提醒我，我没提到SSL客户端身份验证。无论是适用/便利与否，它最终总是要保持私有密钥保密的问题。我这里觉得这是很好的描述，并在句总结：在保证关键还​​未出口只能作为密钥存储本身。

Kurt Du Bois reminded me I did not mention SSL client authentication. Be it applicable/convenient or not, it always ends up to the problem of keeping a private key secret. I find this is well described here, and summed up in the sentence: "the assurance that the key hasn't been exported is only as strong as the key store itself".

推荐答案

应用程序是一个软件，而不是一个具体的对象。验证它的唯一方法是，如果手中的软件包含了某种秘密。从服务器，来验证客户端，要求客户端证明它知道这个秘密。

An application is a piece of software, not a tangible object. The only way to authenticate it is if that piece of software contains a secret of some kind. From the server, to authenticate a client, you request that the client demonstrate that it knows the secret.

如果您允许任何人下载你的应用程序，那么它包含的任何数据已经不是秘密了。所以你不能验证您的应用程序。

If you allow anyone to download your application, then whatever data it contains is not secret. So you cannot authenticate your application.

你可以做的就是让这个秘密更难提取，与混淆技术。混淆做对很难 - 将个人月的开发工作，如果他们有任何好处。如果你仍然可以使用一个调试器，你就错了。混淆做错手段无用功。混淆的努力意味着添加天工作周有人来提取的秘密。你要问自己是否真的值得。从根本上说，是混淆躲在门垫下的钥匙。或花盆后面如果你觉得幻想。

What you can do is make the secret harder to extract, with obfuscation techniques. Obfuscation done right is very hard — adding man-months to your development effort if they're to have any benefit. If you can still use a debugger, you're doing it wrong. Obfuscation done wrong means wasted effort. Obfuscated effort means adding days or weeks of work for someone to extract the secret. You need to ask yourself whether it's really worth it. Fundamentally, obfuscation is hiding the key under the doormat. Or behind the flowerpot if you're feeling fancy.

另请参阅安全堆栈交易所的一些类似的问题：<一href=\"http://security.stackexchange.com/questions/30843/how-to-store-a-private-rsa-key-for-an-application\">How来存储应用程序中的RSA私钥？; <一href=\"http://security.stackexchange.com/questions/1711/storing-private-asymmetric-key-in-application-binary\">Storing在应用程序二进制私有的非对称密钥？

See also some similar questions on Security Stack Exchange: How to store a private RSA key for an application?; Storing private asymmetric key in application binary?

这篇关于验证HTML5应用包裹的PhoneGap（或同等学历）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！