从iOS发送信用卡号到REST API时的最佳安全做法 [英] Best security practices when sending a credit card number to a REST API from iOS
问题描述
我的应用程序必须与API通信,我们可以轻松地发送和获取数据。
My app has to comunicate with an API, we can do this easily to send and get data.
现在我们将所有内容作为纯文本作为参数发送URL。
Right now we send everything as plain text as a parameter of the URL.
我绝不是安全专家,但常识告诉我在转移过程中应该加密信用卡号。
I am by no means a security expert, but common sense tells me the credit card number should be encrypted during the transfer.
服务器可以担心存储空间,我唯一关心的是数据的实际传输。
The server can worry about the storage, my only concern is the actual transmission of the data.
从我的阅读中我认为我需要一个私钥加密算法,因为它需要被服务器反转才能获得实际数据。
From my reading I undertand that I need a private key encryption algorithm, as it needs to be reversed by the server to get the actual data.
在CommonCrypto框架上已经实现了一个好的算法吗?
Is a good one already implemented on the CommonCrypto framework?
你的建议是什么?
我希望用iOS做到这一点我确信安全框架有工具为了完成这个挑战,我只是不知道在哪里寻找或寻找什么。
I am looking to do this using iOS and I am sure the security frameworks have tools to complete this challenge, I just dont know where to look or what to look for.
谢谢!
推荐答案
你应该绝对不要使用URL参数作为信用卡信息。网络上的其他客户端访问的URL很容易被网络上的其他计算机嗅探和记录(当然也有一些限制)。
You should absolutely not be using URL parameters for the credit card information. URLs that are accessed by other clients on a network can be easily sniffed and recorded by other computers on the network (with certain limitations of course).
您应该提交使用POST参数的信息,以便它们包含在邮件正文中,而不是URL本身。然后,只要您提交到HTTPS页面,数据就应该是安全的,而不需要先对其进行加密(在这种情况下,邮件本身使用SSL进行加密)。
You should be submitting the info using POST parameters so that they are contained in the body of the message and not the URL itself. Then as long as you are submitting to an HTTPS page, the data should be safe without needing to encrypt it first (the message itself is encrypted using SSL in this case).
这篇关于从iOS发送信用卡号到REST API时的最佳安全做法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
