问题描述
我已经写在.NET Web服务提供的数据为iPhone应用程序。它也将允许应用程序做一个保留。
I have a Web Service written in .NET that provides data for an iPhone application. It will also allow the application make a "reservation."
目前它的所有内部到企业网络,但显然当iPhone应用程序发布,我需要确保Web服务的外部可用。
Currently it's all internal to the corporate network but obviously when the iPhone application is published I will need ensure the Web Service is available externally.
我怎么会去保护的Web服务?
How would I go about securing the Web Service?
有两个方面我在寻找进入:
There are two aspects I'm looking into:
- 验证来访问Web服务
- 保护正在传输的数据
我没有那么不屑关于被传递的数据来回,因为这将是可见的应用程序呢(这将是免费的)。对我来说,关键问题是$ P $访问Web服务和预约自己pventing用户。
I'm no so bothered about the data being passed back and forth as it will be viewable in the application anyway (which will be free). The key issue for me is preventing users from accessing the Web Service and making reservations themselves.
目前,我正在考虑在加密来回传递所以只有客户端可以有效地使用Web服务回避需要身份验证和数据提供保护的XML数据的字符串。这是我见过的唯一模式,但我认为在iPhone,甚至Web服务的开销做了不好的用户体验。
At the moment I am considering encrypting any strings in the XML data passed back and forth so only the client can effectively use the web service sidestepping the need for authentication and providing protection for the data. This is the only model I have seen but I think the overheads on the iPhone and even for the web service make for a poor user experience.
推荐答案
HTTPS是简单的答案,但你不应该只给服务器提供其自身的证,但给一到每个移动设备。这样就可以相互验证。
https is the simple answer, but you should not only provide the server with its owncertificate, but give one to each mobile device. This allows for mutual authentication.
如果你不能做到这一点,你可以使用AES签署从iPhone的消息到服务器,仅使用已知的服务器和iphone共享秘密,但在平原绝不会发送:
If you can't do this, you can employ AES to sign the messages from the iphoneto the server, using a shared secret known only to the server and the iphone, butnever transmitted in plain:
签名= AES(数据+ iPhone的UDID +共享密钥) (或类似的意思)
signature = AES(data + iphone udid + shared secret) (or something to that effect)
您应该选择一种方法来分发的秘密这使您可以验证的其他部分。
You should choice a way to distribute the secretthat allows you to verify the other part.
这篇关于我该如何保护.NET Web服务,供iPhone应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!