限制API请求，只有我自己的移动应用 [英] Restrict API requests to only my own mobile app

问题描述

有没有什么办法来限制POST请求我的REST API只要求从我自己的移动应用二进制来了吗？这个程序将在谷歌播放和苹果App Store分布式的，所以它应该意味着有人将有机会获得它的二进制文件，并尝试反向工程了。

Is there any way to restrict post requests to my REST API only to requests coming from my own mobile app binary? This app will be distributed on Google Play and the Apple App Store so it should be implied that someone will have access to its binary and try to reverse engineer it.

我在想一些涉及应用程序签名，因为每一个出版应用程序必须以某种方式签署，但我不知道如何做一个安全的方式。也许让应用程序签名，再加上基于时间的哈希值，以及应用程序生成的密钥对和好的旧的安全，虽然默默无闻？的组合

I was thinking something involving the app signatures, since every published app must be signed somehow, but I can't figure out how to do it in a secure way. Maybe a combination of getting the app signature, plus time-based hashes, plus app-generated key pairs and the good old security though obscurity?

我在寻找的失败证明越好的东西。究其原因，就是因为我需要将数据传送到基于手机传感器收集的数据应用程序，如果人们能冒充我自己的应用程序并将数据发送到我的API，它没有处理我自己的算法，它击败了目的。

I'm looking for something as fail proof as possible. The reason why is because I need to deliver data to the app based on data gathered by the phone sensors, and if people can pose as my own app and send data to my api that wasn't processed by my own algorithms, it defeats its purpose.

我愿意接受任何有效的解决方案，无论多么复杂。锡箔帽子的解决方案大大AP preciated。

I'm open to any effective solution, no matter how complicated. Tin foil hat solutions are greatly appreciated.

推荐答案

存储在应用程序的任何凭据可以由用户进行曝光。在Android中的情​​况下，他们完全可以反编译你的应用程序，并轻松地检索它们。

Any credentials that are stored in the app can be exposed by the user. In the case of Android, they can completely decompile your app and easily retrieve them.

如果在连接​​到服务器不利用SSL的，他们可以很容易闻脱离网络

If the connection to the server does not utilize SSL, they can be easily sniffed off the network.

说真的，谁不希望凭据会得到他们，所以不用担心隐瞒他们。从本质上讲，你有一个公共的API。

Seriously, anybody who wants the credentials will get them, so don't worry about concealing them. In essence, you have a public API.

有一些缺陷，它需要额外的时间来管理一个公共的API。

There are some pitfalls and it takes extra time to manage a public API.

许多公共的API还是通过IP地址追踪并实施tarpits简单地慢下来，这似乎是滥用系统的任何IP地址的请求。这样，来自同一IP地址的合法用户仍然可以继续发展，尽管速度较慢。

Many public APIs still track by IP address and implement tarpits to simply slow down requests from any IP address that seems to be abusing the system. This way, legitimate users from the same IP address can still carry on, albeit slower.

您必须愿意以关闭IP地址或IP地址范围，尽管你可能会阻止无辜的，正直的用户在同一时间的滥用者。如果你的应用程序是免费的，它可以给你更多的自由，因为没有服务，没有合同没有预期水平，但你可能要守护自己一个法律协议。

You have to be willing to shut off an IP address or IP address range despite the fact that you may be blocking innocent and upstanding users at the same time as the abusers. If your application is free, it may give you more freedom since there is no expected level of service and no contract, but you may want to guard yourself with a legal agreement.

在一般情况下，如果你的服务是足够受欢迎，有人想攻击它，这通常是一个好兆头，所以不用担心它太早期，但不要停留在它前面。你不希望你的应用程序的失败是因为用户已经厌倦了等待一个缓慢的服务器上的原因。

In general, if your service is popular enough that someone wants to attack it, that's usually a good sign, so don't worry about it too much early on, but do stay ahead of it. You don't want the reason for your app's failure to be because users got tired of waiting on a slow server.

您的另一种选择是让用户注册，这样你就可以凭证阻挡，而不是IP地址，当你发现滥用。

Your other option is to have the users register, so you can block by credentials rather than IP address when you spot abuse.

这篇关于限制API请求，只有我自己的移动应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！