限制访问服务器到iPhone应用程序

我正在建立一个客户端/服务器iPhone游戏，我想让第三方客户端访问服务器。这有两个原因：第一，我的收入模式是销售客户和提供服务，第二，我想避免客户的扩散，促进作弊。

I'm building a client/server iPhone game, where I would like to keep third-party clients from accessing the server. This is for two reasons: first, my revenue model is to sell the client and give away the service, and second I want to avoid the proliferation of clients that facilitate cheating.

我在rails中编写服务器的第一个版本，但我考虑在某个时候移动到erlang。

I'm writing the first version of the server in rails, but I'm considering moving to erlang at some point.

我正在考虑两种方法：

1. 用户名（例如，GUID），并用应用程序随附的秘密对其进行哈希（SHA256或MD5），并将结果用作密码。当客户端与服务器连接时，两者都通过HTTPS通过HTTP基本验证发送。服务器使用相同的密钥对用户名进行哈希，并确保它们匹配。

1. Generate a "username" (say, a GUID) and hash it (SHA256 or MD5) with a secret shipped with the app, and use the result as the "password". When the client connects with the server, both are sent via HTTP Basic Auth over https. The server hashes the username with the same secret and makes sure that they match.

使用iPhone应用程式发送客户端证书。服务器配置为要求客户端证书存在。

Ship a client certificate with the iPhone app. The server is configured to require the client certificate to be present.

第一种方法的优点是简单，开销低，并且可以更容易模糊秘密应用程序。

The first approach has the advantage of being simple, low overhead, and it may be easier to obfuscate the secret in the app.

第二种方法经过良好测试和验证，但可能会有较高的开销。然而，我的客户证书的知识是在三角洲航空公司飞行杂志级别阅读。这会带来多少带宽和处理开销？每个请求传输的实际数据大约为一千字节。

The second approach is well tested and proven, but might be higher overhead. However, my knowledge of client certificates is at the "read about it in the Delta Airlines in-flight magazine" level. How much bandwidth and processing overhead would this incur? The actual data transferred per request is on the order of a kilobyte.