安全地发送PHP从iOS获取信息 [英] Securely Sending PHP Get Information from iOS

问题描述

所以在这种情况下，我有一个iOS应用程序，其中有一部分用户将信息输入特定标签，然后我根据用户给定的信息创建一个URL请求，并将其发送到我的PHP后端。该URL遵循以下结构：

So here's the situation, I've got an iOS app that has a part where users input information into specific labels, and then I create a URL request based on the users given information, and send this over to my PHP backend. The URL follows the below structure:

http://www.somewebsite.com/send.php?title=hello&name=john&contact=email

现在上面的问题是任何有权访问该URL的人，很容易用垃圾邮件轰炸数据库，提交的内容太多等等。感觉非常不安全。我应该如何使这个过程尽可能安全？

Now the problem with the above is that anyone who has access to the URL, can easily bombard the database with spam, too many submissions, etc. It feels very insecure. What should my approach to making this process as secure as possible be?

我目前对PHP的知识水平能够通过简单地使用完成工作的方法（无论它们有多安全）来完成任务，但现在我开始到达需要保持安全性，安全性等的地步。非常感谢有用的建议/见解。谢谢！

My current knowledge level with PHP is being able to get tasks accomplished by simply using methods that "get the job done" (regardless of how safe they are), but now I'm starting to get to the point where I need to keep security, safety, etc in mind. Helpful advice/insight will be greatly appreciated. Thank you!

推荐答案

确保这一点的最佳方法是锁定服务器端组件（即PHP部分） OAuth2身份验证层。我个人建议为此目的此OAuth2服务器。

The best way to secure this is to lock your server-side components (i.e. the PHP part) behind an OAuth2 authentication layer. I personally recommend this OAuth2 Server for this purpose.

一般工作流程如下：

1. Send an API key/username/password/etc to an API endpoint (i.e. a URL)
2. Get a token, store it in memory for future use
3. Send this token on subsequent requests

此解决方案优于发送数据的哈希值（例如MD5），因为这不会对任何内容进行身份验证。它还解决了潜在的问题，而不是隐藏它（例如，POST而不是GET不会保护您的通信）。但是，OAuth2不提供机密性。中间的人仍然可以看到/破坏您的请求。

This solution is superior to sending a hash (e.g. MD5) of the data, because this does not authenticate anything. It also addresses the underlying problem rather than hiding it (e.g. POST rather than GET does nothing for securing your communications). However, OAuth2 does not provide confidentiality. A man in the middle can still see/mangle your requests.

为了更好地保护您的用户，您应该使用 HTTPS （TLSv1.2 with在您的应用上 PFS ）。 独家。甚至没有端口80 HTTP服务器可以执行任何操作而不是重定向到您的HTTPS服务器。同时发送 HSTS 和 HPKP 标头。

To better protect your users you should be using HTTPS (TLSv1.2 with PFS) on your app. Exclusively. Don't even have a port 80 HTTP server that does anything more than redirect to your HTTPS server. Also send HSTS and HPKP headers, if iOS supports them.

如果您需要比HTTPS更好的安全性+ OAuth2提供，我建议全职学习应用程序安全性，因为更详细和复杂的解决方案只会如果你对这个问题有广泛的知识，那就有意义了。 （当然，取决于您的威胁模型！）

If you need better security than HTTPS + OAuth2 offers, I suggest learning application security full-time because the more detailed and intricate solutions will only make sense if you have a great breadth of knowledge on the subject. (Depending on your threat model, of course!)

例如，针对攻击者反向设计应用程序以恢复硬编码API密钥的防御根本就没有它们，这使您的工作流程变得复杂并且可能需要对每个用户进行身份验证。

For example, the defense against an attacker reverse engineering your app to recover hard-coded API keys is simply not to have them, which complicates your workflow and possibly requires authenticating each user.

这篇关于安全地发送PHP从iOS获取信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！