保护从Android电子通讯网络服务 [英] Securing communication from android to a web service
问题描述
我是一个相对的新手到网络和移动发展,特别是对安全性如此明显的答案仍然是AP preciated。
I'm a relative newbie to web and mobile development and especially to security so obvious answers are still appreciated.
我希望我的Android应用程序,以便能够登录用户名和密码,一个简单的Web服务。
I want my android app to be able to log in to a simple web service with a username and password.
什么是安全地发送这些信息,并保持用户登录的整个会话的最好方法是什么?
What's the best way to send this information securely and keep the user logged in for an entire session?
推荐答案
你控制的Web服务?如果没有,那么你就需要使用任何身份验证机制,Web服务提供了。
Do you control the web service? If not then you will need to use whatever authentication mechanism the web service provides.
如果你正在写的Web服务自己,你有很多选择。
If you're writing the web service yourself, you have a lot of options.
最简单的是只发送用户的用户名和密码通过SSL与每一个请求作为HTTP 授权方式:头。这里的缺点是,你需要保持存储在设备上的用户名和密码。话虽这么说,Android的许可系统的工作方式,因为,有一个攻击者窃取关闭设备的凭据的风险很小,只要用户尚未启用root访问权限。
The simplest is to just send the user's username and password via SSL with every request as a HTTP Authorization: header. The downside here is that you need to keep the username and password stored on the device. That being said, because of the way Android's permission system works, there's very little risk of an attacker stealing credentials off of the device, provided the user hasn't enabled root access.
如果您仍然希望避免采用明文存储的密码,您可以发送用户名/密码一次(再次使用SSL),已在服务器返回一个加密授权令牌,然后发送该令牌代替用户的用户名/密码。见谷歌的的ClientLogin 获得这样的一个例子。攻击者仍然可以窃取该令牌,如果他们具有对设备的物理访问,但至少,攻击者不能用它来访问到使用相同的密码的任何其他站点。
If you still want to avoid storing the password in plain text, you can send the username/password once (again, using SSL), have the server return an encrypted authorization token, then send that token in place of the user's username/password. See Google's ClientLogin for an example of this. An attacker could still steal the token if they have physical access to the device, but at least the attacker can't use that to gain access to any other sites that use the same password.
还有其他选择那里为好,如使用挑战/响应prevent从曾经看到用户的密码,使用OAuth提供一个通用的授权API,等服务器。这一切都取决于你的特殊要求。
There's other options out there as well, like using challenge/response to prevent the server from ever seeing the user's password, using OAuth to provide a common authorization API, and so on. It all depends on what your particular requirements are.
这篇关于保护从Android电子通讯网络服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
