将 API 请求限制为仅我自己的移动应用程序
有什么方法可以将我的 REST API 的发布请求限制为来自我自己的移动应用程序二进制文件的请求?此应用将在 Google Play 和 Apple App Store 上分发,因此应该暗示有人可以访问其二进制文件并尝试对其进行逆向工程.
Is there any way to restrict post requests to my REST API only to requests coming from my own mobile app binary? This app will be distributed on Google Play and the Apple App Store so it should be implied that someone will have access to its binary and try to reverse engineer it.
我在想一些涉及应用签名的事情,因为每个已发布的应用都必须以某种方式进行签名,但我不知道如何以安全的方式进行签名.也许是获取应用签名、基于时间的哈希值、应用生成的密钥对以及虽然晦涩难懂的旧安全性的组合?
I was thinking something involving the app signatures, since every published app must be signed somehow, but I can't figure out how to do it in a secure way. Maybe a combination of getting the app signature, plus time-based hashes, plus app-generated key pairs and the good old security though obscurity?
我正在寻找尽可能防止失败的东西.原因是因为我需要根据手机传感器收集的数据将数据传送到应用程序,如果人们可以冒充我自己的应用程序并将未经我自己算法处理的数据发送到我的 api,它就会打败它目的.
I'm looking for something as fail proof as possible. The reason why is because I need to deliver data to the app based on data gathered by the phone sensors, and if people can pose as my own app and send data to my api that wasn't processed by my own algorithms, it defeats its purpose.
我愿意接受任何有效的解决方案,无论多么复杂.非常感谢锡箔帽解决方案.
I'm open to any effective solution, no matter how complicated. Tin foil hat solutions are greatly appreciated.
用户可以公开存储在应用程序中的任何凭据.在 Android 的情况下,他们可以完全反编译您的应用程序并轻松检索它们.
Any credentials that are stored in the app can be exposed by the user. In the case of Android, they can completely decompile your app and easily retrieve them.
如果与服务器的连接不使用 SSL,它们很容易从网络中嗅探出来.
If the connection to the server does not utilize SSL, they can be easily sniffed off the network.
说真的,任何想要凭据的人都会得到它们,所以不用担心隐藏它们.本质上,您拥有一个公共 API.
Seriously, anybody who wants the credentials will get them, so don't worry about concealing them. In essence, you have a public API.
存在一些陷阱,管理公共 API 需要额外的时间.
There are some pitfalls and it takes extra time to manage a public API.
许多公共 API 仍然通过 IP 地址进行跟踪,并实施 tarpits 以简单地减慢来自任何似乎在滥用系统的 IP 地址的请求.这样,来自同一 IP 地址的合法用户仍然可以继续使用,但速度会变慢.
Many public APIs still track by IP address and implement tarpits to simply slow down requests from any IP address that seems to be abusing the system. This way, legitimate users from the same IP address can still carry on, albeit slower.
您必须愿意关闭 IP 地址或 IP 地址范围,尽管您可能会在与滥用者同时阻止无辜和正直的用户.如果您的应用程序是免费的,它可能会给您更多的自由,因为没有预期的服务水平,也没有合同,但您可能希望通过法律协议来保护自己.
You have to be willing to shut off an IP address or IP address range despite the fact that you may be blocking innocent and upstanding users at the same time as the abusers. If your application is free, it may give you more freedom since there is no expected level of service and no contract, but you may want to guard yourself with a legal agreement.
一般来说,如果您的服务足够受欢迎以至于有人想要攻击它,这通常是一个好兆头,所以不要过早担心它,但要保持领先.您不希望应用失败的原因是用户厌倦了在缓慢的服务器上等待.
In general, if your service is popular enough that someone wants to attack it, that's usually a good sign, so don't worry about it too much early on, but do stay ahead of it. You don't want the reason for your app's failure to be because users got tired of waiting on a slow server.
您的另一个选择是让用户注册,这样您就可以在发现滥用行为时通过凭据而不是 IP 地址进行阻止.
Your other option is to have the users register, so you can block by credentials rather than IP address when you spot abuse.