Facebook如何用密钥哈希验证应用程序的真实性？ [英] How does facebook verify app authenticity with key hash?

问题描述

当用Facebook开发Android应用程序时，您需要将应用程序的密钥哈希上传到他们的站点。有了这个，他们声称他们能够验证对他们的服务器的呼叫实际上是从您的应用程序。

When developing an android app with facebook, you are required to upload the key hash of your app to their site. With this they claim that they are able to verify that the calls to their servers are actually made from your app.

我已经阅读了这个问题 Facebook如何验证移动应用程序，但它并没有真正提供实际的含义。我试过调查Facebook图书馆的源代码，但无法弄清楚。

I've read this question How does Facebook verifies mobile apps but it doesn't really provide the actual implentation of this. I've tried looking into the source code of the facebook library but couldn't figure it out.

哪些数据是从android应用程序发出的，什么加密可以验证服务器中的这个哈希吗？是否通过facebook实现的方法失败？

Which data is sent out of the android app and under what encryption that can be verified against this hash in the server? Is the method implemented by facebook fail safe?

如果是，并且它可以在任何服务器中实现，我可以使用它来验证我的服务器我的应用程序避风港没有重新编译不同的代码（这往往会经常发生:(）

If it is, and the it can be implemented in any server I could use it to verify against my server that my apps haven't been recompiled with different code (Which tends to happen pretty often :( )

我正在实现这个想法以这种方式：

I'm currently implementing this idea in this way:

Signature[] sigs = context.getPackageManager().getPackageInfo(context.getPackageName(),     PackageManager.GET_SIGNATURES).signatures;
for (Signature sig : sigs) {
    verifyInServer(sig.hashCode());
}

其中verifyInServer是使用签名的存储值对服务器进行检查的伪代码，现在已经有效了，但我不确定它是否安全， d相反，检查一个关键哈希（它的公开）比这个签名数据（我不太确定如果它是私人的，不可欺骗的用户）。

Where verifyInServer is pseudocode for the check made against the server with the stored value of the signatures. It has worked for now but I'm not sure that it's safe, and I'd rather check against a key hash (that its public) than this signature data (that I'm not really sure if it's private and not spoofable by the user).

推荐答案

这是通过SDK调用的原生Facebook应用程序，用于验证应用程序的签名 - 通过内置于Android操作系统的API - 它会检查是否匹配哈希。当应用程序通过私钥签名时，哈希是一种公钥。

It is the native Facebook app called through SDK that verifies a signature of the app - by API built in in Android OS - it checks if it matches hash or not. Hash is sort of public key when app is signed by private key.

可以使用JS SDK登录用户而不是本机应用，然后哈希将不被验证（可以欺骗）。无论如何，他们认为这是非问题，在这种情况下，用户会看到他在什么应用程序登录，并需要允许访问（登录流程通过FB服务器，它显示应用程序名称）。你不能在Facebook cookie中欺骗你。

One could use JS SDK to login user instead of native app and then hash won't be verified (can be spoofed). Anyway they see it as non-issue as in such circumstances user will see in what app does he log in and need to allow access anyway (login flow goes through FB server and it shows app name). You can't spoof uid in Facebook cookie here.

还有可能会混淆Facebook natve应用程序，使其看到非签名的应用程序与其他一个已知的一个知道哈希另一个（但是如果可能的话，这将是非常艰巨的任务，需要解决它，改变它，它将只适用于已安装修改的本机FB应用程序的系统）。

One also possibly could mess with Facebook natve app to make it see non-signed app as some other signed one knowing hash of that other one (but this would be rather hard task if even possible, one would need to crack it, change it and it would work only on system where modified native FB app was installed).

这篇关于Facebook如何用密钥哈希验证应用程序的真实性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！