iPhone - Web 访问身份验证
我正在为我们的执行人员构建一个安全的应用程序...这是我的设置。这是一种有点 Macgyver 的方法,但请耐心等待:)
- 只有 10 个用户,我在后端的数据库表中记录了每个 uniqueIdentifier。 (这仅适用于我们的用户内部,因此我不认为我违反了 API 文档中提到的公共用户注册规则)
- 通过临时分发,我在所有 10 台设备上安装了我的应用程序
- 我的应用程序只是由 UIWebView 组成。
- 当应用程序启动时,它会向我们的 https 站点发送一个 POST 消息,发送 uniqueIdentifier。 (感谢这个答案)
- 接收POST,检查唯一标识符,如果找到,则设置一个会话 cookie,自动将它们记录到站点中。
- 这样用户就不必每次都输入其凭据。
那么您认为这是否存在安全漏洞?
谢谢
I am building a secure app for our exec's... here is my setup. It's a somewhat Macgyver approach, but bear with me :)
- There are only 10 users, I have a record of each uniqueIdentifier on my backend in a database table. (This is internal only for our users, so I don't believe I am breaking the public user registration rule mentioned in the API docs)
- Through adhoc distribution I install my app on all 10 devices
- My app is simply composed of a UIWebView.
- When the app starts it does a POST to our https site sending the uniqueIdentifier. (Thanks to this answer)
- The server page that recieves the POST, checks the uniqueIdentifier and if found sets a session cookie that automatically logs them into the site.
- This way the user doesn't have to enter in their credentials every time.
So what do you think, is there a security hole with this?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于您将所有唯一 ID 存储在应用程序中,每个 ID 都是解锁访问权限的凭据,因此我所需要做的就是窃取您员工的一部手机,或者以其他方式获取应用程序的副本来查找这些密钥。
如果您需要在手机上存储凭据,请使用 iPhone 的钥匙串。
Since you are storing all your unique IDs in the application, each of which is a credential that unlocks access, all I need to do is steal one of your employee's phones or otherwise get a copy of the application to look for those keys.
If you need to store credentials on the phone, use the iPhone's Keychain.