我该如何设计一个安全的API /验证的移动应用程序访问服务? [英] How can I design a secure API/Authentication for mobile apps to access a service?
问题描述
我想提供的其他应用程序中使用我的web应用程序的某些功能(我主要考虑的智能手机,因为他们提供了更多的功能,如GPS,摄像头,..)。
I want to offer some functions of my webapp to be used in other apps (I'm thinking mainly about smartphones, since they offer more capabilities e.g. GPS, Camera,..).
这是我在其他API,例如方面也遇到了自己至今谷歌地图,是一个第三方开发人员将自己登记在我的网站上,他得到API密钥(一些随机UUID),他已经用它自己的请求对自己的网站进行身份验证。到目前为止好...
From what I have encountered myself so far in terms of other APIs e.g. GoogleMaps, is that a 3rd party developer would register himself at my site, he gets an API key (some random UUID) and he has to use it to authenticate his requests against my website. So far so good...
有没有以防止恶意应用程序的移动应用程序的最终用户的机制?例如。第三方开发人员可以从最终用户建立一个应用程序,并捕获所有的用户名/密码,让他可以做的不好的东西与useraccount。 (例如:我可以建立一个Twitter的应用程序,捕获所有的用户名/密码,然后删除所有的微博,发布新的,..) 是否有可能以prevent呢? AFAIK你可以使用网络上的OAuth这样的我的网站登录框会出现在其他网站,并要求他们为自己的用户名/密码,因此它不会显示给第三方网站。 是否有可能实现的智能手机应用程序安全认证?你会怎么做呢?
Is there a mechanism to protect the end user of a mobile app from malicious apps? E.g. a 3rd party developer could build an app and capture all username/passwords from the end user, so that he can do bad stuff with the useraccount. (E.g. I could build a twitter app, capture all the usernames/passwords and then delete all their tweets, post new ones,..) Is there a possibility to prevent this? AFAIK you could use oauth on the web so that my website login box would appear on another site and ask them for their username/password, so that it isn't shown to the 3rd party site. Is it possible to implement a secure authentication for smartphone apps? How would you do it?
推荐答案
有关Android和iPhone可以使用OAuth没有问题,到目前为止,我认为这是做的最好的方式。
For Android and iPhone you can use OAuth without problems, and so far I think this is the best way to be done.
流量这两个智能手机的类型是一样一样的Web应用程序,因为这两个操作系统给你从你的应用程序启动网页浏览器,将用户重定向到网络提供商的可能性,这样他就可以授权您的要求(标记),然后浏览器可以将您的用户通过适当的回调URI的应用程序。我还没有实现OAuth的手机,但我听到一个朋友说,这是可能的,而且手机浏览器可以将用户重定向到一些特殊的URI,如方案您的应用程序://应用程序/参数。
The flow for these two smartphone types is the same like in web applications, because both OS give you the possibility to start web browser from your application and redirect the user to web provider, so he can authorize your request (token), and then the browser can return your user to the application via proper callback URI. I haven't implemented oauth for mobile phones, but I've heard from a friend that it's possible and that the mobile browser can redirect the user back to your app with some special URI, like scheme://app/parameters.
下面是这个东西与Android:<一href="http://stackoverflow.com/questions/2958701/launch-custom-android-application-from-android-browser">link
Here is something for this with android: link
有2 OAuth的用例:2条腿和3条腿
There are two oauth use cases: 2-legged and 3-legged
2条腿的。这是一种流行的方式存在于从年龄AFAIK - 消费者招牌与消费者共享密钥每个请求,并提供者(你的API),签署请求还,如果签名匹配看到。这样你就可以告诉我们,如果API的使用是确定消费者。
2-legged is when you want to protect your API, so that it can be called only from authenticated consumer applications. This is a popular scheme that exists from ages AFAIK - the consumer signs every request with a consumer shared key, and the provider (your API), signs the request also to see if the signature match. This way you can tell if API usage is ok for that consumer.
3条腿的OAuth包括消费者第三方应用程序的最终用户。这是非常合适的,如果你想保护你的API再像2条腿,因为请求没有退出,而且您的API可以由最终用户的权限进行保护。该API的提供者发出一个令牌并将其提供给消费者的应用程序(第三方应用程序)。然后这个应用程序在本地保存令牌,将用户重定向到提供者的令牌授权。当用户授权它,提供者发送回用户给消费者应用程序,然后使用者可以使认证(签名),并授权(由用户 - 第三支线)。中要求你的API
3-legged oauth includes the end-user of the consumer 3rd party app. It is very suitable, if you want to protect your API again like in 2-legged, because requests are still signed, but also your API can be protected by the end-user's permission. The provider of the API issues a token and gives it to the consumer application (3rd party app). Then this app saves the token locally and redirects the user to Provider for authorization of the token. When the user authorizes it, the provider sends back the user to the consumer application and then consumer can make authenticated (signed) and authorized (by the user - 3rd leg) requests to your API.
该协议不是很复杂,一旦你读它是如何工作的,并且是非常灵活的 - 你可以把它扩展到您的需求,但是你喜欢。我会极力推荐它保护的API,特别是当需要访问API的用户权限。
The protocol is not very complicated once you read how it works, and is very flexible - you can extend it to your needs however you like. I would highly recommend it for protecting APIs, especially if user permission is required for access to the APIs.
这是一个非常好的网站,了解OAuth的: http://hueniverse.com/oauth/
This is a very good site to read about oauth: http://hueniverse.com/oauth/
---加上---
有关于共享密钥存储在消费应用中的一些安全问题 - 手机应用程序在你的情况。
There is some security implications regarding shared key storage in the consumer application - mobile phone app in your case.
如果有人打开你的程序,并拆卸code和提取共享密钥,那么他就可以提出申请,将成功地验证到供应商的API。然而,这不是一个非常大的关注,如果用户需要授权(3条腿),因为用户仍然会被要求提供权限,这种虚假的应用程序 - 现在它是由用户做出正确的选择。而除了这 - 虚假的应用程序将无法窃取用户的凭据,因为使用OAuth,用户凭证只能在供应商的网站中输入
If somebody open your program and disassemble the code and extract the shared key, then he can make application which will authenticate successfully to the provider API. However this is not a very big concern if user authorization is required (3-legged), because the user will still be asked to give permission to this false application - and now it's up to the user to make the proper choice. And besides that - the false app will not be able to steal user's credentials, because with oauth, user credentials are entered only at the provider's site.
这篇关于我该如何设计一个安全的API /验证的移动应用程序访问服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
