问题描述
我想建立一个小的手机应用程序(Android和iOS)和一个小的后端服务器与REST API。
我的应用程序的用户(Android或iOS的),需要登录Facebook上。我这样做,通过使用Facebook的移动SDK。当登录已经成功,Facebook的SDK将返回一个authentificationToken,也就是现在的智能手机用户。
的想法如下:每当我的应用程序需要一些数据,应用程序将conntact到我的服务器后端(REST)通过HTTPS。例如:应用程序,使一个简单的HTTP GET和将所检索的Facebook authenticationToken。我的服务器得到这个Facebook的authenticationToken并使用此令牌来确定,如果用户是通过身份验证和获取Facebook个人资料(名字,姓氏等)。因此,服务器上的联系人的Facebook也和生成的HTTP GET请求个性化的响应。
我的问题是:
- 是不是真的够通过这facebookAuthentication令牌每个REST API调用,使服务器检索正确关联的Facebook用户?
- 在我使用HTTPS,所以我想,连接是加密的够了吧?
- 我想我需要一些签名机制,让每一个签名的REST API调用(通过HTTPS),以确保facebookAuthentication令牌一直只派从我的移动应用程序。我会做,通过使用RSA与SHA-1签署任何REST API调用。但这种方法的问题是:在客户端需要存储私钥某处在App(签名请求)和服务器知道公开密钥(用于签名匹配)。它是否正确?如果是的话,我想它是一个大的安全问题,因为移动应用程序(尤其是机器人),可以反编译得到的私钥。如何在我的应用程序安全地保存这个私钥?是否有其他系统进行签名,你可以推荐吗?
BT:你知道一个良好的RSA LIB为iOS和Android
1)是的。这是不够的。如果您的客户端(手机应用程序)有一个令牌,它证明用户身份验证到Facebook。所以,你认证的用户通过这种方式。然而,这还不足以验证一个移动应用程序(这一点,我将讨论在#3)。
2)是的。它的加密两种方式。
3)这是艰难的一个。这就是所谓的远程认证。也有问题,这个有很多。
在你进入这个方向,你需要问自己两个问题
-
你是谁防止?
-
多少钱我愿意投资呢?
如果你要保护自己免受学生具有非常有限的知识,谁可以写另一个移动应用程序将使用您的服务器,那么你是罚款的签名。
如果你是防止只是一点点,更复杂的软件工程师(谁可以逆向工程的应用程序) - 这是不够的。这位工程师可以提取您的应用程序的私有密钥,并用它来登录自己的应用程序请求。
您可以阅读有关远程证明这里和的。
解决方案,可以保护你从简单的逆向工程相当复杂。
P.S。关于RSA库。
看这个Android的:
和本作的iOS
使用公钥 RSA加密 I would like to build a little mobile App (Android and iOS) and a little backend server with a REST Api. My app users (android or iOS) needs to login on facebook. I do that by using facebooks mobile sdk. When the login has been successful, facebook sdk will return a authentificationToken, that is now on the users smartphone. The idea is as follows:Whenever my app needs some data, the app will conntact to my server backend (REST) over HTTPS. For example: The app makes a simple HTTP GET and passes the retrieved Facebook authenticationToken. My Server gets this facebook authenticationToken and use this token to determine, if the user is a authenticated and to retrieve facebook profile information (firstname, lastname etc.). So the server contacts facebook too and generate the personalized response for the HTTP GET Request. My questions are: Bt: Do you know a good RSA lib for iOS and Android? 1) Yes. It's enough. If your client (mobile app) has a token, it proves that a user authenticated to Facebook. So, you authenticated a user this way. However, it's not enough to authenticate a mobile app (about this, I will talk in #3). 2) Yes. It's encrypted both ways. 3) That's tough one. It's called remote attestation. There are A LOT of problems with this. Before you go into this direction, you need to ask yourself two questions Who are you protecting against? How much am I willing to invest? If you are protecting yourself against a student with very limited knowledge, who may write another mobile app which will use your server then you are fine with a signature. If you are protecting against just a little bit more sophisticated software engineer (who can reverse engineer your application) - it won't be enough. This engineer can extract a private key from your application and use it to sign requests in his application. You can read about remote attestation here and here. Solutions which can protect you from simple reverse engineering are quite complex. P.S. Regarding RSA library. Look at this for Android: And this for iOS RSA Encryption using public key 这篇关于我的服务器提供安全Facebook的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!