iOS安全性与服务器之间发送带有密码的数据 [英] iOS security sending data with password to and from server
问题描述
我正在构建一个需要从用户设备发送密码以在服务器上进行身份验证的应用程序,然后服务器才能执行任何操作.它是这样的:
I'm building an app that needs to send the password from the user's device to be authenticated on the server before the server does any operations. it goes like this:
- 用户在手机上具有纯文本密码,该密码也作为bcrypt二进制文件存储在服务器中.
-
用户希望从数据库中获取内容,因此用户发送其ID&通过(当前为纯文本.它的错误)到服务器的密码.
- User has a plain text password on their phone that is also in the server as a bcrypt binary.
user wants to get something from the database, so user sends their ID & Password to the server via (currently plain text. its bad).
NSString *url = [NSString stringWithFormat:@"%@f=getUserInfo&ID=%@&password=%@",[[Globals global] operationServerName], self.ID, self.password];
NSData *data =[[NSData alloc] initWithContentsOfURL:[NSURL URLWithString:url]];
服务器对从用户处获得的密码进行哈希处理,并从服务器中检索已散列的密码,并进行比较(如果匹配),则从数据库中获取一些信息
server hashes the password it got from the user and retrieves the already hashed password from the server and makes a comparison, if they match, it gets something from the database
问题是ID和密码是通过纯文本发送到服务器的,我不知道该怎么做或实施以使其安全,从而避免窃听攻击.我绝对不知道该怎么办,但我听说ssl/tls会有所帮助,如果任何人都可以在基本水平上向我解释如何解决问题或将方向指向正确的方向,我将不胜感激!关于如何改善这一点的任何提示或解释都将非常棒!我一无所有.
The problem is that the ID and Password are sent to the server over plain text and i have no idea what to do or implement to make it secure such that it avoids eavesdropping attacks. i have absolutely no idea what to do but i heard ssl/tls would help, if anyone could on an elementary level explain to me how to fix the problem or point me in the right direction, i'd REALLY appreciate it! Any tips or explanations on how to improve this would be awesome! I'm totally clueless.
从服务器角度来讲,最好知道我应该在其中添加些什么,以使其在应用程序中成为可能.我目前正在使用本地服务器,但是当它投入使用时,它将来自托管公司
also server side wise, it'd be good to know what i should add there to make it possible in the app. I'm currently using a local server, but when it goes live, it'll be from a hosting company
推荐答案
您需要通过 HTTPS 连接而不是HTTP发送数据.这样,客户端和服务器之间的数据流将被加密.
You need to send data through HTTPS connections instead of HTTP. That way the data flow between the client and the server will be encrypted.
您需要在服务器上安装SSL证书.(如果您不知道要安装,只需请您的主机提供商进行安装即可).现在,而不是在全局方法[[Globals global] operationServerName]中返回http链接,而是返回HTTPS( https://example.com )
You need to install a SSL Certificate on your server.(If you are unaware of installing just ask your host provider to do it). Now instead of returning http link in your global method [[Globals global] operationServerName] return HTTPS (https://example.com)
这应注意加密服务器和客户端之间的数据流.
This should take care of encrypting data flow between server and client.
参考: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
这篇关于iOS安全性与服务器之间发送带有密码的数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
