问题
I have a pre-existing iOS & Android app, that I'm making an update for that includes a RESTful services API and Facebook login for user authentication. The general flow of the app is:
- Users "logs in" to my app, via Facebook's SDKs, which return an access token to my app.
- App calls a RESTful service, including the Facebook access token as a parameter (using HTTPS and SSL)
- Service that is called, sends the received access token (and app secret stored only on my servers) to Facebook to verify who the user is, and performs actions based on that. Facebook is set to require app secret from server-side calls.
My app has gained popularity and has several clones already, and I want to prevent these clones from being able to use my RESTful API (as I am sure that they will try to do when I release the update). Let's assume that the clones are smart, are using the same Facebook access tokens that my app does (if this is possible), and are following a similar pattern & frequency of calling the API that my app does.
Is there anyway to ensure, or nearly ensure, that calls to my services are coming only from my app, and not the clones?
Thanks in advance!
回答1:
You can do this by including a signature in the request, and verifying it.
App Side:
do something like:
signature = md5( md5(url + data) + MY_RANDOM_KEY)append
signatureto the data, or url, etc.send call to REST api (as usual)
Server Side:
extract the
signaturefrom the body/url (and remove it from there).calculate what you think it should be:
signature_should_be = md5( md5(url + data) + MY_RANDOM_KEY)[keep in mind you've removedsignaturefrom url/data so that you get url/data in its original pre-hash state]verify that
signatureandsignature_should_beare equal
Doing this, along with SSL, should make your API secure enough.
回答2:
You could do as Tommy Crush suggests and add a secret inside you application. But if you are up against clever opponents, this probably won't help. The attackers can either decompile your application or try to simply reverse engineer your signature algorithm.
It is important to remember that anything stored within your application should be thought of as already compromised, as an attacker can decompile your app and scour through your code as much as he/she pleases and extract anything he/she wants from it. You cannot rely on anything in your application to be safe inside your app, since an attacker can extract it from your app into their app.
It is important to note that you are using trying to use OAuth for authentication, which is not intended for. It is simply meant for authorization, which is not the same as authentication. Authorization simply gives you access to a resource, but does not tell you who accessed it, which is the problem you are facing. To authenticate your users as your real users (or as close as you can get), you would need to add a login service for your service - something like rolling your own OAuth-server, or similar. Then you can decide who can access the resource, which in this case is your RESTful API :) If this is more work than it is worth, then Tommy's scheme is a good alternative :)
回答3:
The de facto solution for authentication on restful APIs like Twitter and Facebook use is the OAuth mechanism. You can find more details here: http://en.wikipedia.org/wiki/OAuth.
OAuth is supported from the majority of the languages with external libraries. On Android for example there is the https://github.com/wuman/android-oauth-client library.
来源:https://stackoverflow.com/questions/22774584/how-can-i-prevent-other-ios-android-apps-from-using-my-restful-api