I have an iPhone application that needs to collect data from an online MySQL database. I've written a PHP web service so I collect the data with JSON. The problem is that everyone can see the data if they go to the URL now. How do i secure the data transfer properly?
我有一个iPhone应用程序需要从一个在线MySQL数据库中收集数据。我已经编写了一个PHP web服务,因此我使用JSON收集数据。问题是每个人都可以看到数据如果他们现在去URL。如何确保数据传输安全?
Thanks for your suggestions.
谢谢你的建议。
2 个解决方案
#1
1
Typically, if you are showing data private to a particular user, then each user will generally have an account (user id and password). The app will pass the user's credentials to the server before the server will provide the user's data.
通常,如果向特定用户显示数据私有,那么每个用户通常都有一个帐户(用户id和密码)。应用程序将在服务器提供用户数据之前将用户的凭据传递给服务器。
You can also do something similar using SSO integration, or OAuth (ala Facebook).
您还可以使用SSO集成或OAuth (ala Facebook)进行类似的操作。
In some cases, your app may only pass the username/password on the initial call and receive a session ID, which the app passes on remaining calls. This allows the server to store session data.
在某些情况下,应用程序可能只会在初始调用中传递用户名/密码,并接收会话ID,应用程序会将其余调用传递给会话ID。这允许服务器存储会话数据。
Even if the data isn't private to a particular user, you can use accounts to restrict access and privileges for a publicly reachable web API.
即使数据不是特定用户的私有数据,您也可以使用帐户来限制对公共可访问的web API的访问和权限。
In all of the above cases encryption such as SSL (HTTPS) must be used to protect the authentication mechanisms and data transfer.
在所有上述情况下,加密(如SSL (HTTPS)必须用于保护身份验证机制和数据传输。
#2
0
I'm assuming your data is public for all users of your app, in other words, you don't want to implement a login mechanism for your users. If you just want to make sure you return the data only to users of your app and not to anyone who happens to enter the right URL in their browser, you will need to sign your requests, so that only requests from your app are accepted by your server.
我假设你的数据对你应用的所有用户都是公开的,换句话说,你不想为你的用户实现登录机制。如果您只是想确保只将数据返回给应用程序的用户,而不返回给碰巧在其浏览器中输入了正确URL的用户,那么您将需要签署您的请求,以便服务器只接受来自应用程序的请求。
I use a secret key that my app uses to create a hash/digest of the request which the server verifies (it knows the secret key as well). Also I make sure requests cannot be replayed if they are intercepted by adding a timestamp and a nonce. The timestamp is checked to be within 10 minutes of the server's timestamp (relaxed sync) and the nonce must be unique (server keeps the last 10 minutes of nonces). This way no-one can copy the same request, the server will just serve an error if they try.
我使用我的应用程序用来创建请求的哈希/摘要的一个秘密密钥(它也知道这个秘密密钥)。另外,如果通过添加时间戳和nonce来拦截请求,则确保不能重新播放请求。时间戳被检查为在服务器的时间戳(宽松的同步)的10分钟内,并且nonce必须是唯一的(服务器保持最后10分钟的非ces)。这样,没有人可以复制相同的请求,如果他们尝试,服务器只会提供一个错误。
This post explains how to sign your requests in a bit more detail: http://www.naildrivin5.com/blog/2008/04/21/rest-security-signing-requests-with-secret-key-but-does-it-work.html
这篇文章解释了如何更详细地签署你的请求:http://www.naildrivin5.com/blog/2008/04/21/res -security-sign -request -secret- but-does- work.html
#1
1
Typically, if you are showing data private to a particular user, then each user will generally have an account (user id and password). The app will pass the user's credentials to the server before the server will provide the user's data.
通常,如果向特定用户显示数据私有,那么每个用户通常都有一个帐户(用户id和密码)。应用程序将在服务器提供用户数据之前将用户的凭据传递给服务器。
You can also do something similar using SSO integration, or OAuth (ala Facebook).
您还可以使用SSO集成或OAuth (ala Facebook)进行类似的操作。
In some cases, your app may only pass the username/password on the initial call and receive a session ID, which the app passes on remaining calls. This allows the server to store session data.
在某些情况下,应用程序可能只会在初始调用中传递用户名/密码,并接收会话ID,应用程序会将其余调用传递给会话ID。这允许服务器存储会话数据。
Even if the data isn't private to a particular user, you can use accounts to restrict access and privileges for a publicly reachable web API.
即使数据不是特定用户的私有数据,您也可以使用帐户来限制对公共可访问的web API的访问和权限。
In all of the above cases encryption such as SSL (HTTPS) must be used to protect the authentication mechanisms and data transfer.
在所有上述情况下,加密(如SSL (HTTPS)必须用于保护身份验证机制和数据传输。
#2
0
I'm assuming your data is public for all users of your app, in other words, you don't want to implement a login mechanism for your users. If you just want to make sure you return the data only to users of your app and not to anyone who happens to enter the right URL in their browser, you will need to sign your requests, so that only requests from your app are accepted by your server.
我假设你的数据对你应用的所有用户都是公开的,换句话说,你不想为你的用户实现登录机制。如果您只是想确保只将数据返回给应用程序的用户,而不返回给碰巧在其浏览器中输入了正确URL的用户,那么您将需要签署您的请求,以便服务器只接受来自应用程序的请求。
I use a secret key that my app uses to create a hash/digest of the request which the server verifies (it knows the secret key as well). Also I make sure requests cannot be replayed if they are intercepted by adding a timestamp and a nonce. The timestamp is checked to be within 10 minutes of the server's timestamp (relaxed sync) and the nonce must be unique (server keeps the last 10 minutes of nonces). This way no-one can copy the same request, the server will just serve an error if they try.
我使用我的应用程序用来创建请求的哈希/摘要的一个秘密密钥(它也知道这个秘密密钥)。另外,如果通过添加时间戳和nonce来拦截请求,则确保不能重新播放请求。时间戳被检查为在服务器的时间戳(宽松的同步)的10分钟内,并且nonce必须是唯一的(服务器保持最后10分钟的非ces)。这样,没有人可以复制相同的请求,如果他们尝试,服务器只会提供一个错误。
This post explains how to sign your requests in a bit more detail: http://www.naildrivin5.com/blog/2008/04/21/rest-security-signing-requests-with-secret-key-but-does-it-work.html
这篇文章解释了如何更详细地签署你的请求:http://www.naildrivin5.com/blog/2008/04/21/res -security-sign -request -secret- but-does- work.html