移动 - API 服务器安全 [英] Mobile - API server security

问题描述

我正在构建一个 Android 应用程序 - 其中一个关键部分将包括与服务器 API 的集成.该应用只是一个副项目，我真的只是在寻找对我计划的 API 安全性和最佳实践建议以及其他应用如何做的验证.

I am building an Android app - a key part of which will include integration with a server API. The app is just a side-project and I am really just looking for validation of my planned API security and suggestions of best practice and how other apps do it.

该应用程序将仅适用于移动设备(一开始，没有网站) - 我希望能够从该应用程序创建用户帐户，一旦注册，使用中央 Web API 访问/更新特定于用户的安全内容.

The application will be mobile only (to start with, no website) - I want to be able to create user accounts from the app, and once signed up, use the central web API to access/update secured user-specific content.

我开始研究的是一个基本的托管 MVC Web 应用程序(我是 JVM/Spring 背景，因此可能会使用这些库，但这里的问题与技术无关)-该应用程序将没有网页，只是公开一系列端点:

What I have started looking at is a basic hosted MVC web app (I'm JVM/Spring background, so will likely use those libraries, but the question here is tech agnostic) - the app will have no webpages and just expose a series of endpoints:

• 可公开访问的 POST 端点，用于注册和注册登录
• 针对用户特定内容的 OAuth 安全端点(当然还有所需的普通 OAuth 舞蹈端点)

这是一个合理的方法吗?当我可以控制客户端和服务器端时，使用 OAuth 是否有意义?

Is that a reasonable approach? Does using OAuth make sense when I have control over the client and server sides?

我假设官方 Twitter 应用程序只是使用 OAuth 及其向其他用户公开的 API?而 Instagram 最初是作为移动平台推出的，所以我认为他们必须在应用程序帐户中创建 &那么一些 API 安全性?

I assume the official Twitter app just uses OAuth with its API that it exposes to other users? And Instagram was launched as mobile only platform at first, so I assume they must have had in app account creation & then some API security?

(我知道还有进一步的考虑/要求 - 通过 ssl 进行通信，保护您的应用程序 oauth 密钥免受人们反编译应用程序然后在其他应用程序中使用该密钥等的影响，但实际上我只想要一些更高级别的输入，如果人们之前已经实施过此类系统并取得了成功/问题等)

(I know there are further considerations/requirements - communication over ssl, protecting your applications oauth key from people de-compiling the application and then using the key in other apps etc, but really I just want some higher-level input if people have implemented these kind of systems before with success/problems etc)

推荐答案

听起来不错，但任何基于令牌的会话都可以.不要在设备上存储凭据(至少不是密码).只存储可以过期的令牌，并安全地存储它.需要 HTTPS 并使用证书锁定来防止会话劫持.

Sounds good, but any token-based sessions would work. Don't store the credentials (at least not the password) on the device. Only store the token, which can be expired, and store it securely. Require HTTPS and use certificate pinning to prevent session hijacking.

这篇关于移动 - API 服务器安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！