保护客户端(JavaScript、Android、iOS 等)上的 API 密钥 [英] Securing API Keys on clients (JavaScript, Android, iOS, etc.)
问题描述
我正在使用自定义授权方法开发以 API 为中心的 Web 应用程序,该方法包括根据请求方法、URL、参数、公共 API 密钥构建一个字符串,并由私有 API 密钥编码.这在服务器端工作正常,但在客户端,私有 API 密钥(和授权方法)将容易受到攻击.我花了大约一个小时的时间寻找保护此 API 密钥的好方法,我能找到的最佳方法是通过我的服务器进行代理,但我仍然不确定 100%.
I am working on an API-centric web application with a custom authorization method that consists of building a string based off of the request method, URL, params, public API key and encoded by a private API key. This works fine on the server side, but on client side the private API key (and authorization method) will be vulnerable. I've spent the last hour or so looking on a good way to secure this API key and the best method I could find is by proxying through my server, but I am still not sure 100% on this.
首先,我应该担心吗?我想在我的 Web 应用程序中优先考虑安全性,但是任何涉及修改用户帐户的操作都需要一个临时的加密令牌来授权请求(除了 HMAC 哈希).
First of all, should I be worried? I want to make security a priority in my web application, but anything that will deal with modifying a user's account will need a temporary, encrypted token to authorize the request (in addition to the HMAC hash).
我对代理的理解是,您将向您的服务器发出请求,然后服务器将使用私钥加密并返回信息……但是服务器将如何验证请求来自具有有效 API 密钥的源?
My understanding from proxying was that you would make a request to your server, which would then encrypt with the private key and return the information..but how would the server validate that the request came from a source with a valid API key?
任何人都可以提供有关我应该做什么的任何见解吗?我觉得这可能是任何客户端代码(包括 JavaScript、iOS 和 Android)的潜在漏洞.
Can anyone provide any insight as to what I should do? I feel like this could potentially be a vulnerability for any client-side code including JavaScript, iOS, and Android.
推荐答案
您永远无法信任客户.即使你混淆了,仍然有人可以弄清楚.例如,攻击者可以对混淆算法进行逆向工程,查看设备内存,甚至捕获通过网络发送的内容.
You can never trust the client. Even if you obfuscate, someone could still figure it out. For example, an adversary could reverse-engineer the obfuscation algorithm, look at the device memory, or even capture what's sent over the wire.
但是,您仍然可以通过在服务器端实施安全性来制作安全的应用程序.例如,用户应该需要经过身份验证才能成功发出特权 API 请求.
However, you can still make a secure app by enforcing security on the server side. For example, users should need to be authenticated in order to successfully make privileged API requests.
此外,您可以在服务器端强制使用 API,无论是通过输入验证、速率限制还是 IP 地址跟踪.
Also, you can enforce API usage on the server side, whether by input validation, rate limiting, or IP address tracking.
这篇关于保护客户端(JavaScript、Android、iOS 等)上的 API 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
