带有服务器后端的iPhone应用程序 - 如何确保所有访问仅来自iPhone应用程序?

我不介意盗版等等,但我想确保后端(基于Rails)不对可以DOS等的自动化服务开放。因此我想简单地确保所有访问权限到后端(这将是对GET和PUT数据的一些REST查询)将通过有效的iPhone应用程序,而不是在机器上运行的某些脚本。

I don't mind so much about pirating etcetera, but I want to ensure that the backend (Rails based) isn't open to automated services that could DOS it etc. Therefore I'd like to simply ensure that all access to the backend (which will be a few REST queries to GET and PUT data) will be via a valid iPhone application, and not some script running on a machine.

I我希望避免使用帐户,以便用户体验无缝。

I want to avoid the use of accounts so that the user experience is seamless.

我的第一个目的是将UDID和秘密一起散列,并提供(以及UDID) )通过HTTPS连接到服务器。这将允许创建经过身份验证的会话或返回错误。

My first intention is to hash the UDID and a secret together, and provide that (and the UDID) over a HTTPS connection to the server. This will either allow an authenticated session to be created or return an error.

如果被窃听,则攻击者可以获取哈希并重播它,使此方案可以重播攻击。但是,HTTPS连接不应该保护我免受窃听?

If eavesdropped, then an attacker could take the hash and replay it, leaving this scheme open to replay attacks. However shouldn't the HTTPS connection protect me against eavesdropping?

谢谢!



 1 条回答