I am making a trivia android application, and I have the questions and answers database stored on my server. In my app, the user types in his/her username and password, and this is sent to a servlet, which then authenticates it with the Database. If the authentication was successful, the user information for the particular user will be downloaded and stored in SharedPreferences. In the user information, there is a user key that is used to access the server again to update user information, and get other values from the database such as the questions and answers. However, this is not very secure as any attacker can create an account, login, and find the user key and use it to get the trivia answers. Should I use a keystore or a token system in my server to authenticate a request for the database. How should I do this? Thanks for the help!
我正在制作一个琐事Android应用程序,我有我的服务器上存储的问题和答案数据库。在我的应用程序中,用户键入他/她的用户名和密码,然后将其发送到servlet,然后servlet使用数据库对其进行身份验证。如果验证成功,则将下载特定用户的用户信息并将其存储在SharedPreferences中。在用户信息中,有一个用户密钥,用于再次访问服务器以更新用户信息,并从数据库中获取其他值,例如问题和答案。但是,这不是很安全,因为任何攻击者都可以创建帐户,登录并查找用户密钥并使用它来获取琐事答案。我是否应该在服务器中使用密钥库或令牌系统来验证对数据库的请求。我该怎么做?谢谢您的帮助!
3 个解决方案
#1
0
You could scramble the key before putting it in shared pref, and then unscramble it before sending it to your server each time... not to say someone couldn't reverse engineer your app to look at your algorithm and figure out the real key. But then again, how hard are people really going to try to cheat at trivia?
您可以在将密钥放入共享pref之前对其进行加密,然后在每次将其发送到服务器之前对其进行解密...而不是说有人无法对您的应用进行逆向工程以查看您的算法并找出真正的密钥。但话又说回来,人们真的试图欺骗琐事有多难?
#2
0
The most secure way would be not to send the answers. Send the user's answer to the server, and have the server check the answer and return right or wrong.
最安全的方法是不发送答案。将用户的答案发送到服务器,让服务器检查答案并返回对错。
#3
0
Use PGP encryption. Encrypt user/pw using public key in android then decrypt it using private key in the server. mcrypt or openssl can do that for you.
使用PGP加密。使用android中的公钥加密user / pw,然后使用服务器中的私钥对其进行解密。 mcrypt或openssl可以为你做到这一点。
#1
0
You could scramble the key before putting it in shared pref, and then unscramble it before sending it to your server each time... not to say someone couldn't reverse engineer your app to look at your algorithm and figure out the real key. But then again, how hard are people really going to try to cheat at trivia?
您可以在将密钥放入共享pref之前对其进行加密,然后在每次将其发送到服务器之前对其进行解密...而不是说有人无法对您的应用进行逆向工程以查看您的算法并找出真正的密钥。但话又说回来,人们真的试图欺骗琐事有多难?
#2
0
The most secure way would be not to send the answers. Send the user's answer to the server, and have the server check the answer and return right or wrong.
最安全的方法是不发送答案。将用户的答案发送到服务器,让服务器检查答案并返回对错。
#3
0
Use PGP encryption. Encrypt user/pw using public key in android then decrypt it using private key in the server. mcrypt or openssl can do that for you.
使用PGP加密。使用android中的公钥加密user / pw,然后使用服务器中的私钥对其进行解密。 mcrypt或openssl可以为你做到这一点。