限制对 iPhone 应用程序的服务器访问 [英] Restricting access to server to iPhone app
问题描述
我正在构建一个客户端/服务器 iPhone 游戏,我希望在其中阻止第三方客户端访问服务器.这是出于两个原因:首先,我的收入模式是出售客户并赠送服务,其次我想避免促进作弊的客户激增.
I'm building a client/server iPhone game, where I would like to keep third-party clients from accessing the server. This is for two reasons: first, my revenue model is to sell the client and give away the service, and second I want to avoid the proliferation of clients that facilitate cheating.
我正在用 rails 编写服务器的第一个版本,但我正在考虑在某个时候转移到 erlang.
I'm writing the first version of the server in rails, but I'm considering moving to erlang at some point.
我正在考虑两种方法:
生成用户名"(例如 GUID)并使用应用程序附带的秘密对其进行散列(SHA256 或 MD5),并将结果用作密码".当客户端与服务器连接时,两者都是通过 https 上的 HTTP 基本身份验证发送的.服务器使用相同的密钥对用户名进行哈希处理,并确保它们匹配.
Generate a "username" (say, a GUID) and hash it (SHA256 or MD5) with a secret shipped with the app, and use the result as the "password". When the client connects with the server, both are sent via HTTP Basic Auth over https. The server hashes the username with the same secret and makes sure that they match.
随 iPhone 应用程序一起发送客户端证书.服务器配置为要求提供客户端证书.
Ship a client certificate with the iPhone app. The server is configured to require the client certificate to be present.
第一种方法的优点是简单、开销低,并且可能更容易混淆应用程序中的秘密.
The first approach has the advantage of being simple, low overhead, and it may be easier to obfuscate the secret in the app.
第二种方法已经过充分测试和证明,但开销可能更高.但是,我对客户证书的了解处于在达美航空公司的机上杂志中阅读它"的水平.这会产生多少带宽和处理开销?每个请求传输的实际数据大约为千字节.
The second approach is well tested and proven, but might be higher overhead. However, my knowledge of client certificates is at the "read about it in the Delta Airlines in-flight magazine" level. How much bandwidth and processing overhead would this incur? The actual data transferred per request is on the order of a kilobyte.
推荐答案
让您的游戏用户通过 OAuth 对其帐户进行身份验证,授权他们在您的服务器上更改游戏状态.
Have your game users authenticate with their account through OAuth, to authorize them to make game state changes on your server.
如果您无法对用户进行身份验证,则需要以某种方式对您的游戏应用程序实例进行身份验证.在二进制文件中嵌入身份验证凭据将是一个坏主意,因为应用程序盗版很普遍,并且会使您的方法非常不安全.我关于 如何限制 Apple iPhone 应用程序盗版 的 SO 问题可能对您有用其他方式.
If you can't manage to authenticate users, you'd need to authenticate your game application instance somehow. Having authentication credentials embedded in the binary would be a bad idea as application piracy is prevalent and would render your method highly insecure. My SO question on how to limit Apple iPhone application piracy might be of use to you in other ways.
这篇关于限制对 iPhone 应用程序的服务器访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
