检查HTTP请求来自于我的Android应用程序
我检索来自外部服务器与我的Android应用程序使用的数据。我想这个数据是只与我的应用程序访问。我使用的是标准的HTTP连接,从JSON格式的Apache / PHP服务器获取数据。我也送一些PARAMS到服务器以获取相关数据。现在,我打算做的是:
I retrieve data from an external server for use with my android application. I would like this data to be only accessible with my app. I use a standard http connection to get the data from apache/php server in json format. I also send some params to the server to retrieve relevant data. Now, what I'm planning to do is:
- 将PARAMS
- 发送类似MD5(someSecretPhrase+参数)。
- 检查秘密短语是在服务器端正确。
现在的问题是 - 它是关于反向工程安全的方法?现在我能想到的没有其他的可能性,以获得这些数据。但是,如果有人能够反编译我的APK,他将还能够检索这个someSecretPhrase(而很难做到在服务器端),然后访问服务器,是不是他?它是一个真正的威胁?有没有其他的可能性,由服务器来验证我的应用程序?
Now, the question is - is it a safe approach regarding the reverse engineering? For now I can think of no other possibility to get this data. But if someone is able to decompile my apk, he will be also able to retrieve this "someSecretPhrase" (rather hard to do on the server side) and then access the server, isn't he? Is it a real threat? Is there any other possibility to authenticate my app by the server?
我看着论坛上,例如。 Identify无论是从Android应用程序的HTTP请求或不是?然后做出适当响应,但他们没有解释反编译的问题。
I looked at the forums eg. Identify whether HTTP requests from Android App or not? and then respond appropriately, but they don't explain the decompilation problem.
一个安全的基本规则是:你不信任的客户端数据。曾经。
One of basic rules of security is: you don't trust client data. Ever.
您应该考虑你的应用程序反编译,所有已知的秘密键攻击,等等。
You should consider your app decompiled, all "secret" keys known to attacker, etc.
您可以,但是,阻碍攻击者的企图伪造你的请求。您的要求发送(和验证)的校验方法之一。
You can, however, hinder attacker's attempts to forge your requests. Sending (and verifying) checksum of your request is one of methods (your idea of MD5(secret_key + params)).
您也可以切换到二进制加密协议。但是,这需要更多的工作,完全不同的体系结构的服务器。
You could also switch to a binary encrypted protocol. But this requires MUCH more work and quite a different architecture of server.