android - 如何判断HTTP请求来源的正确性
现在要做这样一个判断,用户下载了某个app(平台不限ios/android)后,在初次启动app时向服务器发起一个http请求,我想判断这个请求是从app发过来的而不是来自其他工具的恶意访问。因为想到http请求中带的参数是可能被截获,所以尽管服务器端通过请求参数的验证和user-agent等的验证,也不能完全确保请求来源的合法性。请教有没有高安全性的解决方案!谢谢!
现在要做这样一个判断,用户下载了某个app(平台不限ios/android)后,在初次启动app时向服务器发起一个http请求,我想判断这个请求是从app发过来的而不是来自其他工具的恶意访问。因为想到http请求中带的参数是可能被截获,所以尽管服务器端通过请求参数的验证和user-agent等的验证,也不能完全确保请求来源的合法性。请教有没有高安全性的解决方案!谢谢!
天蓬老师2017-04-17 12:09:13
Mobile apps can consider self-signed SSL certificates. SSL pinning ensures request security. Unless the source code is decompiled, the possibility of forging a request is almost zero.
update:
Seeing that this question has been posted again, I couldn’t help but update the answer.
First, break down the problem.
Assumption scenario 1 - The content requested by the App is public content (for example: news list, article list, posting comments (assuming that comments do not require login)):
As answered above, self-signed SSL (the so-called self-signed purpose is to save tens, hundreds, or thousands of certificate fees per year) is enough.
Scenario 2 - App request content is private content (such as online banking, internal clients, etc. that require user login):
1. Log in and obtain the user’s unique certificate (a new certificate is generated every time you log in, overwriting the existing certificate)
2. The App requests to carry the user’s unique certificate request
阿神2017-04-17 12:09:13
This problem can be further upgraded to: How to prevent http requests from being intercepted and forged.
Because the web is not secure, it is difficult to intercept requests. Therefore, we assume that requests will definitely be intercepted.
So it also brings a problem: if the parameters carried by the request remain unchanged, then the request will definitely be easily forged.
Therefore, change your thinking to: The parameters carried by each request are different.
It is easy to think of the solution of public key and private key. Use the public key to encrypt a certain parameter, and then decrypt it on the server.
At the same time, in order to allow this parameter to change at any time, it is obvious that a simpler parameter is time.
After encrypting the time, the server can decrypt it and get the time. Then the time is verified.
Considering that there will be an error in the time, the server can add an error value.
The vulnerability of this solution is: if the app is cracked and the public key and parameters can be obtained, it can be considered as forged encrypted data and make a request.
There is no absolute security, it just makes it more difficult to crack.
黄舟2017-04-17 12:09:13
If you want secure transmission, use https
The request parameters can refer to the software serial number mechanism. For example, the mac address and timestamp are encrypted through a certain algorithm, and then the mac address, the encrypted mac address, and the timestamp are sent to the server for verification
大家讲道理2017-04-17 12:09:13
http does not have a good anti-cracking method, it can only make it more difficult to crack
The digest authentication method is good
