验证智能手机应用程序(如 Android)的不同方法
我正在寻找不同的方法来验证客户端,如 android、iphone、windows 和黑莓应用程序,哪一种更好以及为什么
根据我的研究,我知道有 2 种方法来验证客户端 1. 嵌入智能手机应用程序内的私钥,用于签署消息:问题是黑客很容易获得私钥 2. 客户端证书
是否有其他方法来验证这些智能手机应用程序的身份,哪一种最安全?
I am looking for different ways to authenticate client like android, iphone, windows and blackberry app and which one is better and why
As per my research I know of 2 way to authenticate client
1. Private key embedded inside smartphone app which will be used to sign the message : Problem with this is its easy for hacker to get access to private key
2. Client certificate
Are there other ways to authenticate these smartphone app and which one is most secured?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您在此处列出的两个选项实际上是相同的。客户端证书实际上只是由某个实体签名的私钥/公钥对的公钥部分以及一些标识信息。
对客户端进行身份验证的最佳方法是使用相互身份验证的 SSL。您可以在此处使用自签名证书,这样您就不需要从 CA 购买任何证书,前提是您控制着要允许访问的所有客户端,并且控制着它们要与之通信的服务器。这将确保您的客户端仅从您的合法服务器接收数据(为您的应用程序配置 SSL 系统,使其仅接受您的服务器正在使用的自签名证书),并且您的服务器仅接受来自您授权客户端的数据(将您的服务器配置为仅访问应用程序中部署的自签名证书作为客户端身份验证的资源)。 Android 的应用程序安全性中有关于如何为 Android 执行此操作的完整分步说明。平台,由 O'Reilly 发布。
您是正确的,您需要在客户端应用程序中嵌入一些秘密信息(私钥),攻击者将能够破坏它。目前 Android 中最好的解决方案是将证书和私钥放入密钥库中,并将其作为资源包含在应用程序 APK 中,并让应用程序在需要使用密钥时访问密钥库。这意味着您的应用程序需要拥有密钥库的密码。因此,如何保护该密码变得很重要。您可以混淆您的代码,使攻击者更难确定该密码,但这只会减慢对您的应用程序进行逆向工程的确定攻击者的速度。但是,除了要求设备用户每次想要使用您的应用程序时都输入该密码之外,这就是您能做的最好的事情。如果设备上运行的客户端应用程序需要访问它存储的内容,则有权访问该设备的人也将能够访问它。你所能做的一切都会让事情变得更加困难。
Both of the options you list here are really the same. A client certificate is really just the public key part of a private/public keypair that is signed by some entity along with some identification information.
The best way to authenticate the client is to use mutually authenticated SSL. You can use self-signed certificates here so you don't need to buy any from a CA, assuming you control all of the clients that you want to allow access and you control the servers they are going to talk to. This will ensure that your clients only receives data from your legitimate server (configure the SSL system for your application to only accept the self-signed certificate that your server is using) and your server only accepts data from your authorized clients (configure your server to only access the self-signed certificates deployed in your app as a resource for client authentication). There is a complete step-by-step rundown on how to do this for Android in Application Security for the Android Platform, published by O'Reilly.
You are correct in that you need to embed some secret information (a private key) in your client application and an attacker will be able to compromise it. The best solution you have within Android right now is to put the certificate and private key in a Keystore that you include in your application APK as a resource and have your application access the Keystore when it needs to use the key. That means your application will need to have the password to the Keystore. So, how you protect that password becomes important. You can obfuscate your code to make it harder for an attacker to determine that password, but that will only slow down a determine attacker who is reverse engineering your application. However, short of requiring the user of the device to type that password in every time they want to use your application, that's the best you can do. If your client app that is running on the device needs access to something that it stores, a person with access to that device will be able to access it as well. All you can do it make it more difficult.