发表新帖
发表新帖

How can I prevent other iOS/Android apps from using my RESTful API?

前端 未结
关注
3 1981
天涯浪人
天涯浪人 2021-02-09 07:19

I have a pre-existing iOS & Android app, that I\'m making an update for that includes a RESTful services API and Facebook login for user authentication. The general flow of

相关标签:
3条回答
  • 爱一瞬间的悲伤
    2021-02-09 07:50

    You can do this by including a signature in the request, and verifying it.

    App Side:

    1. do something like: signature = md5( md5(url + data) + MY_RANDOM_KEY)

    2. append signature to the data, or url, etc.

    3. send call to REST api (as usual)

    Server Side:

    1. extract the signature from the body/url (and remove it from there).

    2. calculate what you think it should be: signature_should_be = md5( md5(url + data) + MY_RANDOM_KEY) [keep in mind you've removed signature from url/data so that you get url/data in its original pre-hash state]

    3. verify that signature and signature_should_be are equal

    Doing this, along with SSL, should make your API secure enough.

    0 讨论(0)
  • 离开以前
    2021-02-09 07:57

    You could do as Tommy Crush suggests and add a secret inside you application. But if you are up against clever opponents, this probably won't help. The attackers can either decompile your application or try to simply reverse engineer your signature algorithm.

    It is important to remember that anything stored within your application should be thought of as already compromised, as an attacker can decompile your app and scour through your code as much as he/she pleases and extract anything he/she wants from it. You cannot rely on anything in your application to be safe inside your app, since an attacker can extract it from your app into their app.

    It is important to note that you are using trying to use OAuth for authentication, which is not intended for. It is simply meant for authorization, which is not the same as authentication. Authorization simply gives you access to a resource, but does not tell you who accessed it, which is the problem you are facing. To authenticate your users as your real users (or as close as you can get), you would need to add a login service for your service - something like rolling your own OAuth-server, or similar. Then you can decide who can access the resource, which in this case is your RESTful API :) If this is more work than it is worth, then Tommy's scheme is a good alternative :)

    0 讨论(0)
  • 栀梦
    2021-02-09 08:01

    The de facto solution for authentication on restful APIs like Twitter and Facebook use is the OAuth mechanism. You can find more details here: http://en.wikipedia.org/wiki/OAuth.

    OAuth is supported from the majority of the languages with external libraries. On Android for example there is the https://github.com/wuman/android-oauth-client library.

    0 讨论(0)
 看不清?
提交回复
热议问题