英文:
Hiding my server's real URL from attackers in my app using the signing key?
问题
这只是一个想法,我想问一下这个方法是否有效,以及存在哪些危险(如果有的话)。
假设我有一个具有API访问权限的应用程序连接到我的服务器。
我不希望任何人使用API,除了从官方Google Play商店下载了应用程序的合法用户,我不希望黑客、重新打包者和第三方应用商店的用户使用我的API。
这个想法如下:
我将我的API的URL设置为这样:
myserver.com/12345/api_resource
其中 12345 是我的应用程序签名密钥的前五个字符。
因此,如果我理解正确,任何重新打包应用程序并使用其自己的密钥的人将具有不同(错误的)服务器URL访问,如下:
myserver.com/abcde/api_resource
其中 abcde 是他自己密钥的前五个字符。
真实的签名密钥,因此真实的URL无法从源代码中提取,我对此理解正确吗?
当然,它可以从监视网络调用中提取,那是一个不同的话题,我只是想实现我上面提到的这些事情。
英文:
This is just an idea and I would like to ask will it work and what are the dangers (if any).
So let's say I have an application with an API access to my server.
I don't want anybody to use the API, except legitimate Google Play users who downloaded the application from the official Google Play store, I don't want hackers, repackers and third party app stores users to use my API.
The idea is the following:
I would make my API's url like this:
myserver.com/12345/api_resource
Whereas 12345 is the first five characters of my app signing key.
So if I think this right, anybody who repacks the app with his own key would have a different (false) server url access like:
myserver.com/abcde/api_resource
Whereas abcde is the first five characters of his own key.
The real signing key, thus the real url couldn't be extracted from the source code, am I right on this?
Of course, it could be extracted from monitoring network calls, that is a different topic, I just want to achieve the things I mentioned above.
答案1
得分: 1
The real signing key, thus the real url couldn't be extracted from the source code, am I right on this?
"真正的签名密钥,因此无法从源代码中提取真正的URL,我对此理解正确吗?"
I don't know how you are defining the "real signing key."
我不知道您如何定义“真正的签名密钥”。
Your public key is available via Signature from PackageManager. You could certainly use data derived from this as part of a URL.
您的公钥可以通过PackageManager中的Signature获得。您可以将从中派生的数据用作URL的一部分。
A naive repacker would wind up using their own public key, and this would fail your Web requests. However, a more sophisticated attacker could determine what you're doing by reverse-engineering (decompiling) your app. And that's in addition the network monitoring approach that you mention.
一个天真的重新打包者最终会使用他们自己的公钥,这将导致您的Web请求失败。然而,更复杂的攻击者可以通过反向工程(反编译)您的应用程序来确定您在做什么。这还包括您提到的网络监控方法。
英文:
> The real signing key, thus the real url couldn't be extracted from the source code, am I right on this?
I don't know how you are defining the "real signing key".
Your public key is available via Signature from PackageManager. You could certainly use data derived from this as part of a URL. A naive repacker would wind up using their own public key, and this would fail your Web requests. However, a more sophisticated attacker could determine what you're doing by reverse-engineering (decompiling) your app. And that's in addition the network monitoring approach that you mention.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论