iPhone 和服务器之间的安全通信? [英] Secure Communication Between iPhone and Server?
问题描述
我正在开发一个连接到基于 XML 的 API 的应用程序.我可以控制服务器和应用程序 - 有什么方法可以确保只有我的应用程序可以访问 API?
I'm developing an app which connects to an XML based API. I have control over both the server and the app - is there any way I can make sure only my app can access the API?
没有用户身份验证.
主要问题是机器人通过扫描 XML 窃取数据.
The main concern is that bots steal data by scanning the XML.
这个怎么样:
我请求与设备 UDID 进行会话并获得握手密钥.
I request a session with the device UDID and I get a handshake key.
<handshake>23354</handshake>
从这个字符串中,根据约定的算法在服务器和客户端计算密码(只是很难重建)
from this string a password is calculated on both the server and the client according to an agreed algorithm (it just has to be hard to reconstruct)
现在假设我在握手密钥上加 1
Let's say for now that I add 1 to the handshake key
password = 23354
在所有 API 调用中,我都会将此密码与 UDID 一起传递.这将允许服务器将每个会话限制为一定数量的调用,不是吗?
On all API calls I then pass this password along with the UDID. This would allow the server to limit each session to a certain number of calls, no?
你怎么看?
推荐答案
不,不可能真正确保只有您的应用程序可以联系您的服务器.有一些混淆技术可以在一定程度上提高攻击者的门槛,这些技术对大多数攻击者都有效.专门的攻击者无法解决您的潜在问题.您可以在 iPhone:如何加密一个字符串.您可以在这些帖子中使用多种技术,并讨论了您应该如何以及是否应该解决潜在问题.
No, it is not possible to really ensure that only your app can contact your server. There are obfuscation techniques for raising the bar somewhat on attackers, and those will work for most attackers. Your underlying problem is not solvable for a dedicated attacker. You can find a list of other posts on this subject at iPhone: How to encrypt a string. There are several techniques you can use in those posts, and some discussion of how and whether you should attack the underlying issues.
这篇关于iPhone 和服务器之间的安全通信?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
