Android:在服务器端验证应用程序的完整性 [英] Android: Verifying the application's integrity on the server side
问题描述
我正在编写一个通过 HTTPS 与服务器应用程序通信的 Android 应用程序.在服务器端,我必须绝对确定 Android 应用程序的完整性.这意味着服务器应用程序需要确保它与我开发的 Android 应用程序进行通信,而不是与重新编写的应用程序进行通信(例如,在反编译原始应用程序之后或在将设备植根之后).
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
是否有可能确保这一点?也许apk文件的签名有可能?
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
感谢任何提示.
问候,彼得
推荐答案
您正在尝试解决一个已知问题:
You are trying to address a known problem:
您永远不能信任开放设备(手机、台式计算机)上的应用程序.为了信任它,它应该是防篡改的.这种设备的一个例子是智能卡.移动设备肯定不是.
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
您不应该将数据发送到用户不应该看到的设备.这意味着所有业务逻辑都必须在服务器上完成.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
对服务器的所有请求都应使用用户凭据(用户名/密码)进行身份验证,并通过安全协议 (HTTPS/SSL) 发出.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
这篇关于Android:在服务器端验证应用程序的完整性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
