问题
I've used Parse to create an application for iOS using the iOS SDK downloaded from the Parse.com website.
In order to create this kind of application the ApplicationID and ClientID keys are both embedded in the iOS app and sent from the app to the server when the application is used. This essentially puts the ApplicationID and ClientID in plain sight so any user can write a small program which would repeatedly call the various Parse apis of my application.
I have followed all the security advise in the parse tutorials and all the data has appropriate roles and ACLs.
HOWEVER a single unsophisticated user could bring down my entire application simply by calling the login api of my parse app more than 30 times per second.
Am I missing something or is this a FATAL flaw in using Parse.com as a backend from an iOS app?
Does anyone have a solution to this problem?
回答1:
You can always reduce the chance substantially by applying Security by Obscurity ;-)
You can encrypt your keys and place decryption function right inside your JavaScript. You can further make it harder to find by hiding that function in the middle of a large nasty script that nobody would enjoy, and then minify your JavaScript (which you should be doing anyway). I am sure it is possible to get even "more creative" and reach some reasonable perfection :-)
It remains, however, possible, in principle, for a sufficiently motivated hacker to reverse-engineer your program and get the keys. Still you can make it hard enough, so the hacker will likely look for easier targets, of which there is plenty as we know ;-)
See also here for more ideas.
来源:https://stackoverflow.com/questions/24608496/parse-com-denial-of-service-by-exceeding-burst-limit