构造GET请求计算 HMAC(SHA-256,shared-secret,get-request,16 字节)将 HMAC 与 GET 请求一起发送在 iOS 上,这看起来像:NSData *key = ...与服务器共享的随机 32 字节...;NSURLRequest *request = ...;//为 HMAC 分配一些内存NSMutableData *hmac = [NSMutableData dataWithCapacity:CC_SHA256_DIGEST_LENGTH];//将您的 URL 转换为数据.这假设这是一个 GET 请求,所以 URL//拥有一切.这也假设 GET 是幂等的,所以如果有人//重放这个 GET 请求,你不在乎.NSData *requestData = [[[请求 URL] absoluteString] dataUsingEncoding:NSUTF8StringEncoding];//计算 HMACCCHmac(kCCHmacAlgSHA256,[关键字节],[密钥长度],[请求数据字节],[请求数据长度],[hmac mutableBytes]);//截断 HMAC(这是常见的做法.稍微好一点,至少没有//更糟糕的是,发送一半的 HMAC 而不是整个 HMAC).NSData *token = [hmac subdataWithRange:NSMakeRange(0, [hmac length]/2)];NSURLRequest *finalRequest = ... 将令牌添加到您的请求中 ...你当然会在服务器端计算同样的事情.您可以将其视为签署 GET".如果您的请求不是幂等的,那么无论如何您真的应该努力解决这个问题.如果您无法修复它,您可以将时间戳集成到哈希中并丢弃太旧或您以前见过的请求.(这样做,你已经让你的 GET 是幂等的......)升级应用时,您可能应该更改共享密钥.这样,您最终可以淘汰已发现的旧共享秘密.是的,这些都可以逆向工程.任何尝试对应用(而不是用户)进行身份验证的事物都可以进行逆向工程.因此,请保持简单,并更多地关注如果发生这种情况您将如何恢复.如果可能,添加用户身份验证.它更强大.I have one iOS app and also a small backend that I use so far to manage the apns (Apple Push Notifications). The registration process is just a GET call with parameters to my backend, and since there is no 'authentication' or any other kind of control, I fear that anybody could just overload my backend with fake devices registering.So the main question is: how could I make this kind of app-sending-info-to-backend transmissions secure when there is no authentication?One simple idea that comes to my mind is generating some kind of HASH using the token that the app must supply when registering the device... 解决方案 There is no way to completely solve this problem. It is not possible to know that it is your app that is connecting. All you can do is add a little obfuscation.Your best first step is to use SSL with a pinned certificate to make Man-in-the-Middle attacks harder. Client-side certs can help, but are a bit of a pain to set up and aren't going to buy you a lot over other solutions.If you have a pinned certificate and SSL, just sending a shared secret along with the GET is probably as good as you need. Change the secret from release to release so you can age out old ones. If someone has reverse-engineered your app enough to beat the pinned certificate (or to read the shared secret directly), then they're going to break all the rest of these approaches, too.Even so, here are some more that add a little extra layer:Bidirectional shared-secret verification with AES is a good and simple approach, but requires a handshake (i.e. you can't do it with a single GET). You can of course just implement this one-way (so the server verifies the key, but not the client), but you still need a handshake.If you want to keep your auth token to a single GET and can't pin your SSL certificate, and you can make your GETs idempotent (which good REST calls should be anyway), then this is a simple implementation:Construct GET requestCalculate HMAC(SHA-256, shared-secret, get-request, 16 bytes)Send HMAC along with GET requestOn iOS, this would look something like:NSData *key = ...random 32 bytes shared with server...;NSURLRequest *request = ...;// Allocate some memory for the HMACNSMutableData *hmac = [NSMutableData dataWithCapacity:CC_SHA256_DIGEST_LENGTH];// Convert your URL into data. This assumes that this is a GET request, so the URL// has everything. This also assumes that the GET is idempotent, so if someone// replays this GET request, you don't care.NSData *requestData = [[[request URL] absoluteString] dataUsingEncoding:NSUTF8StringEncoding];// Compute the HMACCCHmac(kCCHmacAlgSHA256, [key bytes], [key length], [requestData bytes], [requestData length], [hmac mutableBytes]);// Truncate the HMAC (this is common practice. It's slightly better, and at least no// worse, to send half the HMAC rather than the whole HMAC).NSData *token = [hmac subdataWithRange:NSMakeRange(0, [hmac length] / 2)];NSURLRequest *finalRequest = ... add the token to your request ...You would of course compute the same thing on the server side. You can think of this as "signing the GET." If your requests are not idempotent, you really should be working on fixing that anyway. If you can't fix it, you can integrate a timestamp into the hash and throw away requests that are too old or you've seen before. (In doing this, you've made your GET idempotent....)When you upgrade your app, you should probably change your shared secret. That way you can eventually age out old shared secrets that have been discovered.Yes, these can all be reverse engineered. Anything that tries to authenticate the app (rather than the user) can be reverse engineered. So keep it simple, and focus more on how you would recover if it did happen.And if at all possible, add user authentication. It's much more powerful. 这篇关于如何保护应用程序 - 后端通信?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云! 08-10 22:50