Securing web-API access

前端 未结 4 669
陌清茗
陌清茗 2021-01-14 12:24

I have a simple web-API accessible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to

4条回答
  •  再見小時候
    2021-01-14 12:56

    Short answer: This is a start of an arms race. You can either obfuscate and protect while your 'opponents' reverse-engineer and re-develop, OR you can focus your efforts on improving your client software enough that users would rather use your software than your 'opponents' software. I'd argue that if your clients are better tools, then your users will use your clients. If there is something your competition is doing better than you, take note.

    Longer answer: when every single client is downloaded, generate a client-side x.509 certificate, sign it with a CA key. Configure your web server to require and validate the client certificate with every request.

    One of your legitimate users might give their client certificate to your opponent. They might bake in one, ten, one thousand, different legitimately acquired certificates into their software, but you can knock down each individual one (publish the key into a Certificate Revocation List that your web server uses when validating the clients) as you discover them. And then deal with the individual end users who are frustrated when their keys stopped working.

提交回复
热议问题