1. The interface uses a key and user ID md5 encryption. Then the encrypted sign is passed as a parameter (is such a simple encryption method safe?).
2. Then here comes the problem. If the user's request is caught, other people can also simulate the request. So how do you know that the request is issued by your own APP?
If only the app information is included in the request, others can also simulate it.
3. Because the interface is sent from the app, the user can only see this information by grabbing the local package. Is it easy for users to be requested by others for packages now?
ringa_lee2017-05-16 13:12:43
It is strongly recommended to use SSL to protect the communication security of web api. It is not a bad idea to implement it yourself, but it is definitely not as secure as SSL. Your approach will be monitored by the middleman, and the sign will be directly exploited.
Can simulate requests. If the other party has decompiled your app and understands the authentication process, it can definitely be simulated.
In the absence of SSL protection, http is transmitted in clear text. This situation cannot only be monitored locally. If you use SSL to protect communication security, you can ensure that it will not be monitored by a middleman. Whether it is easy to appear depends on the value of your app.
Recommend the subject to learn more about: man-in-the-middle monitoring and replay attacks
给我你的怀抱2017-05-16 13:12:43
I saw people do this before. There is a special interface to obtain the key. The key is valid for 2 days.
After adjusting all the interfaces, the token directly uses the key plus the corresponding parameter format to perform md5 encryption. In other words, the parameters do not have any keys.
Generally speaking, the package will be requested many times, the parameters will change, and the token will be different.
Also, even if you get the key, it’s useless if you don’t know how the other party assembles it.