保护通信[真实性，隐私权与诚信】随着移动应用程序？ [英] Securing communication [Authenticity, Privacy & Integrity] with mobile app?

问题描述

一个Android / iPhone应用程序将会从服务器访问应用程序数据。 [Django的Python的]

An Android/Iphone app will be accessing application data from the server. [Django-Python]

我如何能确保与移动应用程序的通信？

How can I secure the communication with the mobile app ?

期望：安全够比如密码敏感信息，不得有解密除了暴力破解的没有直接的方法

Expectation : Secure enough for sensitive information like passwords, there shall be no direct way of decryption except brute-forcing.

我的要求

• 验证[只有应用程序被授权]
• 完整性
[消息不应该的修改]
• 隐私[通讯不应该是可读的，如果闻]

• Authentication [Only the app is authorized]
• Integrity [Messages should not be modified in between]
• Privacy [Communication should not be readable if sniffed]

我的努力

• 在SSL认证只在服务器，而不是客户端。
• 我，不能使用对称加密[仅提供隐私]
• 在数字签名是不可能的[没啥隐私]
• PGP全充满的三个条件。

问题

• PGP需要保存密钥在客户端应用程序。
• 似乎有固定的客户端应用程序键没有保证的方式。
• 如果关键是出来了，那么PGP或对称加密也同样脆弱。
• 逆向工程PGP密钥或绕环键同样是困难的。
• 在这种情况下，PGP是移动处理器的无负担感。
• OAuth是再没用的，因为它也有一个客户端密钥。

• PGP requires to store keys on client app.
• There seems to be no assuring way of securing keys on client app.
• If the key is out, then PGP or Symmetric encryption are equally vulnerable.
• Reverse-Engineering PGP keys or symmetic keys is equally hard.
• In that case PGP is a non-sense burden on the mobile processor.
• OAuth is again useless, since it also have a client key.

那么，怎样才能/我应该往前走的呢？ 如何与这样做的行业交易？

So, how can/should I move forward on this ? How does the industry deals with this ?

我应该实现的休闲方式：

Should I implement casual approach :

• 使用简单的SSL，穿过我的手指？，因为认证是不可能的，如果密钥被窃取？ （仅服务器认证是可能与此）

• Use simple SSL and cross my fingers ?, since authentication is not possible if the keys are stolen? (Only server authentication is possible with this)

更新：

结论是使用AES，因为如果我能保持关键安全的话，我不如SSL。 另外，我可以保持切换时的关键更好的安全性。 如果你认为有更好的方法，这样做，然后再发布完整地阅读后作出贡献。

Conclusion was to use AES, since if I can keep the key secure then I am as good as SSL. Plus I can keep changing the key over-time for better security. Contribute if you think there is a better way, do read the entire post before posting.

推荐答案

您正在处理的不良信息。 SSL完全可以验证客户端，它只是没有东西是用于SSL的散装协议完成后（或ATLEAST是）通常用于保护电子商务网站的服务器认证很重要，但与客户这样做并不重要和/或不可行的。你想要做的是采用相互认证的SSL，让你的服务器将只接受来自您的应用程序的传入连接，您的应用程序将只与您的服务器进行通信。

You're working on bad information. SSL can absolutely authenticate the client, it's just not something that is done for the bulk of SSL as the protocol is (or, atleast was) typically used to protect e-commerce sites where authentication of the server was important but doing so with the client was not important and/or not feasible. What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.

下面是高层次的方法。创建自签名服务器SSL证书，并部署在Web服务器上。如果你使用的是Android，可以使用包含在Android SDK中用于此目的的密钥工具;如果你使用的是其他的应用程序平台的iOS一样，类似的工具，对他们来说也同样存在。然后创建一个自签署的客户端和部署在自定义密钥库您的应用程序中包含在你的应用程序作为一种资源（密钥工具会产生这个问题，以及）。将服务器配置为要求客户端SSL认证，并只接受你生成的客户端证书。配置客户端使用客户端证书来识别自己和只接受你的服务器的那一部分上安装了一个服务器端证书。

Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform like iOS, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.

如果有人/不是您的应用程序之外的其他尝试连接到服务器，SSL连接不会被创建，作为服务器将拒绝传入的SSL连接，不这样做present您已经包含在客户端证书的应用程序。

If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.

一个在这一步一步的是比这里是必要更长的答案。我建议分阶段这样做，因为有关于如何处理与Android和iOS系统中，服务器和客户端自签署SSL证书的网站上的资源。还有一个完整的步行通过我的书，应用安全为Android平台，由O'Reilly出版

A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in both Android and iOS, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.

这篇关于保护通信[真实性，隐私权与诚信】随着移动应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！