使用签名密钥在我的应用中隐藏服务器的真实URL,以防止攻击者获取?

huangapple go评论55阅读模式
英文:

Hiding my server's real URL from attackers in my app using the signing key?

问题

这只是一个想法,我想问一下这个方法是否有效,以及存在哪些危险(如果有的话)。

假设我有一个具有API访问权限的应用程序连接到我的服务器。

我不希望任何人使用API,除了从官方Google Play商店下载了应用程序的合法用户,我不希望黑客、重新打包者和第三方应用商店的用户使用我的API。

这个想法如下:

我将我的API的URL设置为这样:

myserver.com/12345/api_resource

其中 12345 是我的应用程序签名密钥的前五个字符。

因此,如果我理解正确,任何重新打包应用程序并使用其自己的密钥的人将具有不同(错误的)服务器URL访问,如下:

myserver.com/abcde/api_resource

其中 abcde 是他自己密钥的前五个字符。

真实的签名密钥,因此真实的URL无法从源代码中提取,我对此理解正确吗?

当然,它可以从监视网络调用中提取,那是一个不同的话题,我只是想实现我上面提到的这些事情。

英文:

This is just an idea and I would like to ask will it work and what are the dangers (if any).

So let's say I have an application with an API access to my server.

I don't want anybody to use the API, except legitimate Google Play users who downloaded the application from the official Google Play store, I don't want hackers, repackers and third party app stores users to use my API.


The idea is the following:

I would make my API's url like this:

myserver.com/12345/api_resource

Whereas 12345 is the first five characters of my app signing key.

So if I think this right, anybody who repacks the app with his own key would have a different (false) server url access like:

myserver.com/abcde/api_resource

Whereas abcde is the first five characters of his own key.

The real signing key, thus the real url couldn't be extracted from the source code, am I right on this?

Of course, it could be extracted from monitoring network calls, that is a different topic, I just want to achieve the things I mentioned above.

答案1

得分: 1

The real signing key, thus the real url couldn't be extracted from the source code, am I right on this?
"真正的签名密钥,因此无法从源代码中提取真正的URL,我对此理解正确吗?"

I don't know how you are defining the "real signing key."
我不知道您如何定义“真正的签名密钥”。

Your public key is available via Signature from PackageManager. You could certainly use data derived from this as part of a URL.
您的公钥可以通过PackageManager中的Signature获得。您可以将从中派生的数据用作URL的一部分。

A naive repacker would wind up using their own public key, and this would fail your Web requests. However, a more sophisticated attacker could determine what you're doing by reverse-engineering (decompiling) your app. And that's in addition the network monitoring approach that you mention.
一个天真的重新打包者最终会使用他们自己的公钥,这将导致您的Web请求失败。然而,更复杂的攻击者可以通过反向工程(反编译)您的应用程序来确定您在做什么。这还包括您提到的网络监控方法。

英文:

> The real signing key, thus the real url couldn't be extracted from the source code, am I right on this?

I don't know how you are defining the "real signing key".

Your public key is available via Signature from PackageManager. You could certainly use data derived from this as part of a URL. A naive repacker would wind up using their own public key, and this would fail your Web requests. However, a more sophisticated attacker could determine what you're doing by reverse-engineering (decompiling) your app. And that's in addition the network monitoring approach that you mention.

huangapple
  • 本文由 发表于 2023年2月26日 22:58:27
  • 转载请务必保留本文链接:https://go.coder-hub.com/75572829.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定