问题描述

我想通过移动应用程序(本机)安全地访问REST API(.net).我有以下解决方案，但每个解决方案都有其缺点.有人可以建议我解决问题的方法吗?

1.

REST API:具有用户名&的安全Rest API密码.

移动应用:每次进行其余的API调用时发送用户名和密码.

缺点:进行逆向工程时，将获得存储在移动应用程序中的用户名和密码.代码被混淆并且密码被存储在地方，但是黑客经过一定的努力成功地获得了密码.

2.

REST API:已实现身份验证2

移动应用程序:调用Rest API以获取令牌以备将来使用，但这是首次传递身份验证凭据以获取令牌.相同的问题用户名&密码可以通过逆向工程获得.

我们如何将应用程序秘密移出应用程序，以及如何从移动应用程序安全地访问REST API?

您应该尝试实现授权代码授予PKCE .

这是一个示例项目.

I want to securely access the REST API(.net) through a mobile application(react-native). I had the following solutions but each one has its drawback. Can someone suggest me the solution to the problem?

1.

REST API: secure rest API with username & password.

Mobile App: send username and password with every rest API call.

Drawback:On reverse engineering username and password is obtained which is stored in the mobile application. The code was obfuscated and password was stored at places but hackers were successful to obtain password after doing certain efforts.

2.

REST API: auth 2 implemented

Mobile App: call Rest API to obtain Token for future use but the first time required to pass auth credentials to obtain token. Same problem username & password can be obtained by reverse engineering.

How we can move app secrets out of the app and can access REST API securely from the mobile application?

You should look to implement the Authorisation Code Grant with PKCE.

Here is an example project doing something similar.

这篇关于面向移动应用程序iOS和Android的REST API身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！