问题描述
我建立一个Android应用程序 - 的重要组成部分,其中包括与服务器API集成。该应用程序只是一个侧面项目,我真的只是寻找我的计划API安全验证和最佳实践的建议,以及如何其他应用程序做到这一点。
I am building an Android app - a key part of which will include integration with a server API. The app is just a side-project and I am really just looking for validation of my planned API security and suggestions of best practice and how other apps do it.
应用将是移动只(下手,没有网站) - 我希望能够从应用程序中创建用户帐户,一旦签约,使用中央网络API来访问/更新保护用户的具体内容
The application will be mobile only (to start with, no website) - I want to be able to create user accounts from the app, and once signed up, use the central web API to access/update secured user-specific content.
我已经开始看是一个基本的托管MVC的Web应用程序(我JVM /春天的背景,所以很可能会使用这些库,但这里的问题是技术不可知) - 该应用程序不会有任何的网页,只是揭露一系列的端点:
What I have started looking at is a basic hosted MVC web app (I'm JVM/Spring background, so will likely use those libraries, but the question here is tech agnostic) - the app will have no webpages and just expose a series of endpoints:
- 公开访问的POST端点登录向上和登录
- 用户特定内容的OAuth安全端点(加上当然需要在正常的OAuth舞蹈端点)
是一个合理的方法?是否使用OAuth有意义时,我有过在客户端和服务器端控制?
Is that a reasonable approach? Does using OAuth make sense when I have control over the client and server sides?
我认为官方Twitter的应用程序只使用OAuth与它的API,它暴露给其他用户?和Instagram推出作为第一个针对移动设备的平台,所以我想他们一定在app帐户创建和放有;然后一些API的安全?
I assume the official Twitter app just uses OAuth with its API that it exposes to other users? And Instagram was launched as mobile only platform at first, so I assume they must have had in app account creation & then some API security?
(我知道有进一步的考虑/需求 - 通过SSL通信,保护您的应用程序从人的OAuth键去编译应用程序,然后使用其他应用程序等的关键,但实际上我只是想,如果一些高级输入人们已经实现了这些类型的系统之前,成功/问题等)
(I know there are further considerations/requirements - communication over ssl, protecting your applications oauth key from people de-compiling the application and then using the key in other apps etc, but really I just want some higher-level input if people have implemented these kind of systems before with success/problems etc)
推荐答案
听起来不错,但是任何基于令牌的会话会工作。不要在设备上存储的凭据(至少不是密码)。只存储该令牌,其可过期,并存储其安全。要求HTTPS和使用证书钉扎到prevent会话劫持。
Sounds good, but any token-based sessions would work. Don't store the credentials (at least not the password) on the device. Only store the token, which can be expired, and store it securely. Require HTTPS and use certificate pinning to prevent session hijacking.
这篇关于手机 - API服务器安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!