0

We are going to build a Web API application which will be used by an Android app. I want to protect this public facing API so that only the Android app can use the API.

We prefer not to use HTTPS because the data that is transferred is not sensitive really. There is also no sign-in involved so as long as we make sure the legitimate app is making the call we are fine.

I was thinking of sharing a kind of secret data between the app and the api but our Android developer says whatever data we put in the app can be retrieved by malicious people. Plus, transferring that piece of data over HTTP is not safe.

I would like to know if anyone can help me with a solution by which we preferably won't have to use HTTPS?

4

2 回答 2

1

您说得对,有人可能会从设备上的应用程序源中恢复共享机密。如果不使用传输层安全性 (TLS/SSL),也没有办法做你想做的事。一旦您以明文方式传输任何秘密,它就不再是秘密。

这里有一些关于如何正确执行此操作的好建议:http ://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html

“你绝对必须使用 HTTPS 连接,以防止任何中间人偷看你的令牌。” 从页面本身强调。

于 2013-09-16T07:34:24.650 回答
1

一个想法是让应用程序根据发送消息的时间等计算密钥,然后服务器端将能够验证该密钥。服务器将不得不允许一些时间窗口。

如果您使用Proguard来混淆您的应用程序代码,您可能会很难阅读您的代码(并非不可能,但非常困难)。在混淆代码中找到常量比查看方法调用在做什么更容易,因此我建议计算密钥。

使用这种方法,截获消息的人可以重用密钥(至少不会超过很短的时间)。因此,如果您真的想避免使用 https 并且您的数据不是那么敏感,这是一个可能的解决方案。

于 2013-09-16T07:42:09.737 回答