如何保护API?
Client Side app <--> Backend <--> API
这是通过从其他客户端应用程序访问安全API的正确方法吗?如果是这样,为什么我们需要API?我们可以直接使用后端获取和处理数据,然后将其发送回客户。你能解释一下吗?
注意:
我的意思是上面的简单图是,客户端应用程序提出了后端请求,然后后端向API提出请求。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您无法保护API免受其他客户端应用程序。您在请求中发送的任何魔术事物都必须是“嘿,我已经授权”的一部分,在这种情况下,它可以进行逆转。您可以做的是授权用户 - 用户可以通过某个秘密(例如用户名和密码)登录,并且服务器可以在响应中发送秘密代码,客户客户端将在以后的请求中发送回。每个用户的秘密代码都会有所不同。这样做,然后通过加密的连接(HTTPS)进行操作,这与您在那个方面一样好(较小的细节,例如到期旧代码并旋转它们,但它们都是围绕此想法的实现细节)。
您之所以能授权用户而不是应用程序的原因是,用户掌握了一个使某人分解应用程序无法获得的秘密,因为它不在此处 - 它在用户的头上。没有这些,就无法知道应用程序是否真的被授权,或者是否有人将您的秘密偷走并偷走了您的秘密。
You can't protect an API from other client side apps. Any magic thing you send in the request that means "Hey I'm authorized" would have to be part of the app, in which case it can be reverse engineered. What you can do is authorize a user- the user can log in via some secret (such as a username and password), and the server can send back a secret code in response, that the client will send back in later requests. That secret code will be different for every user. Do that, and do it over an encrypted connection (HTTPS) and that's about as good as you can do on that front (there's minor details like expiring old codes and rotating them, but they're all implementation details around this idea).
The reason why you can authorize a user and not an app is that the user holds a secret that someone decompiling an app can't get, because it's not in there- it's in the user's head. Without that, there's no way to know if an app is really authorized or if someone decompiled and stole your secret.
你的问题
在我看来,您对所使用的术语有些困惑,因为API服务器实际上是后端。
我认为您的使用是什么意思:
是:
反向代理人
用于减少移动应用程序中API键数量的传统方法是使用反向代理,但是只有当您的应用程序提出请求到两个或多个API,因为您将始终需要一个API键来向反向代理提出请求。
反向代理更常用于保护对第三方API的访问,我写了使用反向代理来保护第三方API 这更详细地说明了为什么要使用它:
使用反向代理只会将需求从保护第三方服务的API密钥或您自己的API后端来保护API密钥或用于访问反向代理的任何其他秘密/标识符,但具有优势,但是现在,您可以控制如何访问第三方API,同时保留API键以访问移动应用程序攻击者的范围。换句话说,您仅在移动应用程序中揭示一个API键,从而减少了攻击表面,并具有一个单个位置的额外好处,您可以减轻使用API后端的滥用。
在我将您链接
到一些可能的解决方案之前,我想首先要清除误解,通常我会在任何资历的开发人员中发现,这是关于谁和什么正在访问API服务器。
我撰写了一系列有关API和移动安全性的文章,并在文章为什么您的移动应用需要一个API密钥?您可以详细阅读谁和 /strong>正在访问您的API服务器,但我将在此处提取主要收入:
因此,请考虑 作为用户,您的API服务器将能够对数据进行身份验证并授权访问数据,并考虑什么是代表该请求的软件用户。
当您掌握这个想法并根深蒂固的心态时,您将以另一个角度研究移动API安全性,并能够看到以前从未存在的攻击表面。
可能的解决方案
我建议您阅读这个答案我将问题给出了如何为移动应用程序确保API REST ?,尤其是部分硬化和屏蔽移动应用程序,确保API服务器和可能是更好的解决方案。
将API后端锁定到移动应用程序的最佳选择是使用移动应用证明解决方案,该解决方案将对API后端具有很高的信心,即该请求确实来自您移动应用程序的真实且不受影响的版本。
您想加倍努力吗?
在对安全问题的任何回应中,我一直都希望参考OWASP基金会的出色工作。
对于Apis
owasp app api api Security top 10
对于移动应用程序
Owasp-移动安全测试指南:
Your Problem
It seems to me that you are a little confused with the terminology being used, because an API server is in fact a backend.
I think what you mean by the use of this:
is this:
Reverse Proxy
The traditional approach used to reduced the number of API keys in a mobile app is the use of a Reverse proxy, but it only makes sense if your app makes requests to two or more APIs, because you will always need an API key to make requests to the Reverse Proxy.
Reverse Proxy is more commonly used to protect access to Third Party APIs, and I wrote the article Using a Reverse Proxy to Protect Third Party APIs that goes in more detail why you should use it:
The use of a Reverse Proxy only shifts the need from protecting the API key for the third party service, or your own API backends, to protect the API key or any other secret/identifier used to access the Reverse Proxy, but with the advantage that you now have control of how the third party API can be accessed, while keeping the API key to access them out of reach of the mobile app attacker. In other words you only expose one API key in your mobile app, thus reducing the attack surface, with the added benefit of having one single place where you can mitigate the abuse of using your API backends.
The Difference Between WHO and WHAT is Accessing the API Server
Before I link you to some possible solutions I would like to first clear a misconception that usually I find among developers of any seniority, that is about the difference between who and what is accessing an API server.
I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:
So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.
When you grasp this idea and it's ingrained in your mindset, then you will look into to mobile API security with another perspective and be able to see attack surfaces that you never though they existed before.
Possible Solutions
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
Your best option to lock the API backend to your Mobile App is to use a Mobile APP Attestation solution that will give a very high degree of confidence to the API backend that the request is originated indeed from a genuine and untampered version of your mobile app.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
OWASP API Security Top 10
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
OWASP - Mobile Security Testing Guide: