iOS:有没有一种安全的方法可以在代码中包含 API 密钥? [英] iOS: Is there a safe way to include an API key in the code?
问题描述
亚马逊有一个适用于 iOS 的 AWS 开发工具包,以及几个示例应用.在他们的示例中,他们将 API 凭据放在 Constants.h 文件中:
Amazon has an AWS SDK for iOS, along with several sample apps. In their samples, they put the API credentials in a Constants.h file:
// Constants used to represent your AWS Credentials.
#define ACCESS_KEY_ID @"CHANGE ME"
#define SECRET_KEY @"CHANGE ME"
我担心的是,这些可以由坚定的黑客提取.有什么方法可以安全地在应用中包含 API 密钥?
My concern is that these can be extracted by a determined hacker. Is there any way to securely include API keys in an app?
我看到的一个选项是包含我自己的服务器作为中间人:应用程序与我的服务器对话,我的服务器与 S3 对话.我可以看到这样做的价值,但仍然存在问题:我是否允许应用程序在没有任何身份验证的情况下在我的服务器上进行 API 调用?在应用程序中包含我自己的 API 密钥与包含 AWS API 密钥具有相同的问题.
The one option I've seen is to include a server of my own as a go-between: the app talks to my server, my server talks to S3. I can see the value in doing this, but one is still presented with the problem: do I allow the app to make API calls on my server without any kind of authentication? Including my own API key in the app has the same problem as including AWS API keys.
推荐答案
有几个凭据管理选项可帮助您避免在应用中嵌入凭据.第一个是 Web Identity Federation,它允许用户使用 Facebook、Google 或 Login With Amazon 登录您的应用程序.另一种选择是使用令牌自动售货机,它是一个服务器组件,用于向您的应用分发临时凭据.
There are a couple of credential management options to help you avoid embedding credentials in your app. The first is Web Identity Federation, which allows users to log in to your app with Facebook, Google, or Login With Amazon. Another option is to use a Token Vending Machine, which is a server component that distributes temporary credentials to your app.
AWS 移动开发博客上提供了指向相关文档和代码示例的高级概述:http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation
There is a high-level overview with pointers to the relevant documentation and code samples on the AWS Mobile Development Blog: http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation
这篇关于iOS:有没有一种安全的方法可以在代码中包含 API 密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
