我如何只允许从我的iOS应用程序访问我的MySQL数据库? (使用webapp作为db的网关) [英] How do I only allow access to my MySQL database from my iOS app? (Using webapp as gateway to db)
问题描述
我的iOS应用程序需要连接到mysql服务器。为了实现这一目标,我想创建一个webapp,充当客户端应用程序和服务器端数据库之间的中间人。
My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.
我担心的是有人可以简单地找出我的应用使用的URL并传递他们自己的URL参数 - 由于webapp不知道我的iOS应用程序是否发送了合法数据,而只是从任何Web浏览器输入正确制作的URL,系统将易受攻击。
My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.
假设我有一个PHP功能,用于将用户标记为已验证(在我发送电子邮件验证码后)。这是非常标准的东西,但是什么阻止某人从网络浏览器发出相同的请求?
Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?
当然,应用程序用来进行数据库查询的用户将拥有有限的权限,因此数据库的其余部分将不会有风险。但是,即使让用户从应用程序外部激活他们的帐户也是灾难性的。
Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.
我想到的选项是使用https,这样即使用户找出了URL ,他们不会知道密码,因为它从头到尾都是加密的,所以无法嗅探密码。不幸的是,https对于一个贫穷的大学生来说可能是昂贵的,所以我想要一个替代品,如果存在。
The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.
推荐答案
如上所述之前,没有100%的安全性。但是有几种解决方案可以提供很好的安全性。
As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.
正如您所指出的,这是一个重要的部分,因为它可以防止嗅探。
As you point out, this is an important part , as it prevents sniffing.
使用会话,不允许任何没有有效会话的请求(第一个除外)必须验证应用程序)。
Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).
检查用户代理并设置额外的http标头,以获得应用程序独有的指纹。 (仍有人可以嗅,但他需要使用curl或类似的东西。)
Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )
建立你的查询字符串并应用哈希函数。服务器需要实现反向功能。 ?43adbf764Fz而不是?a = 1& b = 2
Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2
这更进了一步。使用共享密钥计算哈希值。在服务器上重复相同的操作。这已经是强大的安全性。为了打破,需要对您的应用进行逆向工程。
This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.
你说它是适用于iOS的应用程序。安装后,iOS会生成一个唯一的令牌。让您的应用在服务器上注册此令牌。像这样,每个安装都有一个独特的强大共享密钥,并且无法破解您的Web应用程序。
You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.
这篇关于我如何只允许从我的iOS应用程序访问我的MySQL数据库? (使用webapp作为db的网关)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
