安全的HTTPS加密iPhone应用程序,网页 [英] Secure https encryption for iPhone app to webpage
问题描述
我要卖一个iPhone应用程序,将容纳一个单一的网络视图一个网页,说 HTTP://www.myapp .COM / web视图/ 我想应用有效地存储认证所需的凭证在网站(即只谁买了应用程序可以查看此页面某人)
I want to sell an iPhone app, that will house a single web view to a web page, say http://www.myapp.com/webview/ I would like the app to effectively store the credentials required for authentication at the website (ie only someone who has bought the app can view this page)
要不然怎么我会在iPhone上一个安全,简单的web视图,而无需用户登录(基本上是他们购买的应用程序将成为他们的认证页面)
How else would I have a secure, simple webview on the iPhone, without requiring the user to log in(essentially they buying the app will constitute their authentication to the page)
任何人都可以在这方面帮助?
Can anyone help with this?
推荐答案
有没有绝对的方式来实现这一目标。如果您有使用共享凭据(一个在应用程序捆绑在一起),Web服务,那么将有可能反向工程的凭证。归根结底,是不可能保证另一台机器上运行的客户端是你的客户端。
There is no absolute way to achieve this goal. If you have a web service that uses a shared credential (one bundled in the application), then it will be possible to reverse engineer that credential. Ultimately it is impossible to ensure that a client running on another machine is "your" client.
有过很多这样的讨论。这是不希望的,不仅不可能解决100%(或甚至90%)。通过SSL进行简单的共享秘密将停止你的大多数攻击者不伤害用户或花费大量的时间来培养。这是混淆,并不安全,而且价格便宜,大多是有效的比昂贵的和更好的大多是有效的。
There have been many discussions of this. It is not hopeless, only impossible to solve 100% (or even 90%). A simple shared secret over SSL will stop the majority of your attackers without harming your users or costing a lot to develop. It is obfuscation, not security, but cheap and "mostly effective" is much better than expensive and "mostly effective."
如果你有一个非常高价值的产品,那么它可能保证更积极的(昂贵的)解决方案。所有这些解决方案包括以下两种情况之一:
If you have a very high-value product, then it may warrant more aggressive (expensive) solutions. All of these solutions include one of two things:
- 验证用户,而不是程序,或
- 持续警觉,留意新的攻击,并与他们打补丁修复响应。
后者是非常昂贵的,从未结束。确保它是值得的。
The latter is very expensive and never ends. Make sure it's worth it.
其他的一些有益的讨论:
Some other useful discussions:
- Anti piracy and app identification. iPhone SDK
- Easiest way to limit executable to running on a certain computer
- Decompiling Objective-C libraries
- Obfuscating Cocoa
修改我想指出关于我提到一件事通过SSL共享秘密。请记住,如果你不验证证书,你受到非常宽容的人,在这方面的中间人攻击。如查尔斯一应俱全代理可以做到这一点。最好的办法是,以确保返回的SSL证书由的您的根证书,而不仅仅是签署任何信任的证书。您可以重新配置该证书是由您的应用程序 SecTrustSetAnchorCertificates信任()。 iOS5的:PTL 包括第11章(第221页)这种技术。我也这个包裹到一个名为库 RNPinnedCertValidator 。
EDIT I wanted to point out one thing about my mention of "shared secret over SSL." Remember that if you don't verify the certificate, you are subject to very easy man-in-the-middle attacks. Readily available proxies like Charles can do this. The best approach is to make sure that the SSL certificate being returned is signed by your root certificate, not just "any trusted certificate." You can reconfigure which certificates are trusted by your application with SecTrustSetAnchorCertificates(). iOS5:PTL covers this technique in Chapter 11 (page 221). I've also wrapped this into a library called RNPinnedCertValidator.
另一个好层是实现其中服务器验证客户端有而没有把它在电线上共享秘密询问 - 响应系统。在质询resonse验证的维基百科文章包括算法的一个很好的解释。
Another good layer is to implement a challenge-response system where the server authenticates that the client has the shared secret without ever putting it on the wire. The Wikipedia article on Challenge-resonse authentication includes a good explanation of the algorithm.
这篇关于安全的HTTPS加密iPhone应用程序,网页的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
