在Android应用中通过哈希保护API URL访问权限 [英] Protect API URL access via hash in Android app
问题描述
在我的Android应用程序中,用户可以将内容提交给数据库,然后所有其他用户都可以看到它。
这个新内容发送给服务器通过GET请求:
http://www.example.org/API.php?newContent=helloWorld
问题是:如果用户找到这个URL的样子,他可以很容易地在他的浏览器中发送恶意请求并规避Android应用程序。也许我们可以反编译应用程序并找出URL。
如何保护对此URL的访问并阻止用户直接访问此API?
在应用程序中生成一个散列并将其与服务器上的API.php文件中生成的散列进行比较是否是一个很好的解决方案?
无法找到反编译应用程序时如何生成哈希值?
非常感谢您!
因此,真正保护该URL的唯一方法是要求对其进行身份验证的所有请求。
执行此操作的一种方法是将您的请求更改为POST请求,并根据请求发送某种认证令牌(简单的散列值)。如果身份验证令牌不存在,则只需不回应请求。哈希将是硬编码到客户端和服务器的东西。
现在的问题是如何隐藏您的身份验证令牌。只要你没有开源你的代码,那么别人就可以按照你提到的方式去反编译你的程序。为了防止这种情况,您可能需要考虑使用proguard(http://developer.android.com/guide/developing/tools/proguard.html)。
Something要记住的是,这种方法包含单点故障。如果您的身份验证令牌曾暴露过,那么您已完成(例如,HD DVD AACS加密密钥崩溃)。
另一种身份验证方式是针对每位用户基础。只要有效的用户正在提出请求,您不应该关心请求是否来自Web浏览器或Android应用程序。我认为这是一个更好的做事方式。通过这样做,您可以在每个用户的基础上限制请求。然而,这需要你管理用户配置文件以及随之而来的整个蠕虫病毒。
所有这些都说明了,尽管你不应该真的很在乎,如果有人知道你的API的一部分的网址。我不知道你的具体用例,但必须有一种方法来设计你的API,以便你不关心你如何得到你的请求。另外,如果你做了一个真正的GET,那么你不应该改变服务器上的任何东西。这意味着所有'恶意的人'可以做的就是从中获取数据。这严重限制了他们可以做的伤害。事实上,除非你有敏感的数据,你不想让某些人看,否则你根本就没有任何问题。如果你这样做,那么你应该真的考虑我的每用户认证解决方案。
In my Android application, the user can submit content to the database which can then be seen by all the other users as well.
This new content is sent to the server via GET request:
http://www.example.org/API.php?newContent=helloWorld
The problem is: If a user finds out what this URL looks like, he could easily sent malicious requests in his browser and circumvent the Android application. Maybe one could decompile the app and find out about the URL.
How can I protect access to this URL and prevent users from accessing this API directly?
Is it a good solution to generate a hash in the application and compare it with a hash generated in the API.php file on the server?
Couldn't one find out how the hash is generated when decompiling the application?
Thank you very much in advance!
So the only way to truly protect that URL is by requiring all requests to it be authenticated.
One way to do this is change your request to a POST request and send along some sort of auth token (a simple hash will do) with the request. If the auth token isn't present, simply don't respond to the request. The hash would be something you'd hardcode into both the client and server.
Now the question is how to hide your auth token. As long as you're not open sourcing your code, the only way for someone to get at it would be to decompile your program as you mentioned. To guard against this you might want to look into using proguard (http://developer.android.com/guide/developing/tools/proguard.html).
Something to keep in mind is that this method contains a single point of failure. If your auth token is ever exposed, you're done for (e.g. the HD DVD AACS cryptographic key debacle).
One other way to authenticate is on a per-user basis. As long as a valid user is making a request, you shouldn't really care whether or not the request is coming from the web browser or android app. I think this is a much better way of doing things. By doing this, you can throttle requests on a per-user basis. This however requires you to manage user profiles and the whole can of worm that comes along with it.
All that said, at the end of the day though you shouldn't really care if somebody knows the url to a portion of your API. I don't know your particular use case, but there's got to be a way to design your API so that you don't care how you're getting your requests. Also, if your doing a true GET, then you shouldn't be changing anything on the server. This means that all the 'malicious person' can do is get data off of it. This severely limits the damage they can do. In fact, unless you have sensitive data that you don't want certain people to look at, you don't really have a problem at all. If you do, then you should really think about my per-user authentication solution.
这篇关于在Android应用中通过哈希保护API URL访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
