如何只能从我的 android 应用中限制 API?
How can eestrict API only from my android app?
我知道有很多类似的问题,但我很困惑。
我的目的是仅从我的应用程序访问我的 API。
1)我研究了JWT,但是我有一个疑问。任何人都可以使用我的 API 登录名来访问我的应用程序。获取令牌并向服务器发送请求。对吗?
0Auth 不适合我,因为我不使用第三方应用程序。
我的想法是在客户端生成一个密钥,一个在服务器上。然后我使用客户端密钥加密我发送的参数(以特定顺序)。最后在服务器上我解密并进行比较(因为我知道参数的顺序)。
但是可以通过反向发现客户端上的密钥
你有什么建议?
你的问题
My purpose is to access my API only from my application.
首先让我们澄清开发人员之间的一个常见误解,即 WHO 与 WHAT 正在访问 API 服务器.
WHO vs WHAT 正在访问 API 服务器
为了更好地了解 WHO 与 WHAT 之间的区别正在访问您的 API 服务器,我建议您阅读我的文章 this section,但我将在此处摘录其中的几行:
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
因此,重要的一点是,您的移动应用程序的用户是 WHO,而不是 WHAT 正在访问您的 API 服务器。
OAuth
OAuth is not for me because I do not use third-party applications.
您不需要使用第三方应用程序来使用 OAuth 进行身份验证和授权 WHO 正在访问您的 API 服务器,相反我会推荐你来使用它。
智威汤逊代币
1) I studied JWT, but I have a doubt. Anyone use my API Login to access my application. get the token and send requests to the server. Right?
是的,任何人(WHO 和 WHAT)获取你的 JWT 令牌,或者就此而言,任何其他类型的秘密你实施以保护对您的 API 的访问,将能够使用它来伪装成该秘密代表您的 API 服务器的任何内容。
你的想法
My idea is to generate a key and one on the server on the client. Then I encrypt the parameters I send (in a certain order) using the client key. Finally on the server I decrypt and make the comparison (since I know the order of the parameters).
But the key on the client can be discovered through a reverse
是的,可以通过移动应用程序的逆向工程发现。
可以使用移动安全框架等工具通过静态二进制分析来完成,也可以在运行时使用 Frida 或 Xposed。
Mobile Security Framework
Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That's great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It's also easy to undo.
如果您还不熟悉如何通过逆向工程从移动应用程序 APK 中提取秘密,那么您可以阅读文章 How to Extract an API Key from a Mobile App with Static Binary Analysis 以更好地掌握其中一种方法.
使用JNI/NDK工具集提取隐藏在C原生代码中的秘密不容易掌握静态二进制分析,因此在运行时hook Frida或xPosed会更容易提取秘密。攻击者将使用 returns 秘密的方法挂钩您的代码,在您的情况下是加密密钥,即使它是从 Android 共享首选项中检索到的。
Using Android Studio 2.2 and higher, you can use the NDK to compile C and C++ code into a native library and package it into your APK using Gradle, the IDE's integrated build system. Your Java code can then call functions in your native library through the Java Native Interface (JNI) framework.
A SharedPreferences object points to a file containing key-value pairs and provides simple methods to read and write them. Each SharedPreferences file is managed by the framework and can be private or shared.
您可以访问此 Github 存储库 android-hide-secrets 以查看基本的 Android 移动应用程序,它向您展示了几种隐藏秘密的方法,包括 JNI/NDK 一种:
A quick demo to show several ways of hiding secrets in a mobile app, like in:
- source code
- manifest file
- gradle file
- JNI/NDK
总而言之,您的想法是有价值的,但您需要明白,它只是让绕过变得困难,而不是不可能。那么你应该使用它吗?是的,在我看来,我们应该通过应用尽可能多的层来努力进行纵深防御,因为这会使攻击者的生活更加艰难,甚至可能会阻止一些继续进行攻击。
API 深度安全
您可以先采取基本的 API 安全措施,然后再采取一些更高级的措施,如果您 API 保护的数据值得,您甚至可以使用自己的安全措施移动应用证明解决方案。
基本API安全防御
现在您了解了 who 与 what 之间的区别正在访问您的 API 服务器,您可能想去阅读 my article 有关保护 API:
的基本技术
In this article we will explore the most common techniques used to protect an API, including how important it is to use HTTPS to protect the communication channel between mobile app and API, how API keys are used to identify the mobile app on each API request, how user agents, captchas and IP addresses are used for bot mitigation, and finally how user authentication is important for the mobile security and api security. We will discuss each of these techniques and discuss how they impact the business risk profile, i.e. how easy they are get around.
更高级API安全防御
您可以先阅读本系列文章,了解 Mobile API Security Techniques to understand how API keys, HMAC, OAUTH and certificate pinning 可用于增强安全性,同时了解它们如何 abused/defeated。
之后,根据您的预算和资源,您可以采用一系列不同的方法和技术来保护您的 API 服务器,我将开始列举一些最常用的方法和技术。
您可以从 reCaptcha V3, followed by Web Application Firewall(WAF) and finally if you can afford it a User Behavior Analytics(UBA) 解决方案开始。
Google reCAPTCHA V3:
reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.
...helps you detect abusive traffic on your website without any user friction. It returns a score based on the interactions with your website and provides you more flexibility to take appropriate actions.
WAF - Web Application Firewall:
A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
UBA - User Behavior Analytics:
User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
所有这些解决方案都基于负面识别模型,换句话说,它们通过识别什么是坏的而不是什么是好的来尽力区分好坏,因此它们很容易出现误报,尽管他们中的一些人使用的先进技术,如机器学习和人工智能。
因此,您可能会经常发现自己不得不放松阻止对 API 服务器的访问,以免影响好的用户。这也意味着此解决方案需要持续监控,以验证误报不会阻止您的合法用户,同时它们会适当地阻止未经授权的用户。
关于 API 为移动应用程序提供服务,可以通过实施移动应用程序证明解决方案来使用积极的识别模型,该解决方案在任何请求之前证明您的移动应用程序和设备的完整性 运行发送到 API 服务器。
移动应用认证
最后,如果您拥有资源,您可以通过构建自己的 Mobile APP Attestation 解决方案走得更远:
The role of a Mobile App Attestation service is to authenticate what is sending the requests, thus only responding to requests coming from genuine mobile app instances and rejecting all other requests from unauthorized sources.
In order to know what is sending the requests to the API server, a Mobile App Attestation service, at run-time, will identify with high confidence that your mobile app is present, has not been tampered/repackaged, is not running in a rooted device, has not been hooked into by an instrumentation framework(Frida, xPosed, Cydia, etc.), and is not the object of a Man in the Middle Attack (MitM). This is achieved by running an SDK in the background that will communicate with a service running in the cloud to attest the integrity of the mobile app and device it is running on.
On a successful attestation of the mobile app integrity, a short time lived JWT token is issued and signed with a secret that only the API server and the Mobile App Attestation service in the cloud know. In the case that attestation fails the JWT token is signed with an incorrect secret. Since the secret used by the Mobile App Attestation service is not known by the mobile app, it is not possible to reverse engineer it at run-time even when the app has been tampered with, is running in a rooted device or communicating over a connection that is the target of a MitM attack.
The mobile app must send the JWT token in the header of every API request. This allows the API server to only serve requests when it can verify that the JWT token was signed with the shared secret and that it has not expired. All other requests will be refused. In other words a valid JWT token tells the API server that what is making the request is the genuine mobile app uploaded to the Google or Apple store, while an invalid or missing JWT token means that what is making the request is not authorized to do so, because it may be a bot, a repackaged app or an attacker making a MitM attack.
A great benefit of using a Mobile App Attestation service is its proactive and positive authentication model, which does not create false positives, and thus does not block legitimate users while it keeps the bad guys at bay.
总结
在我看来,最好的解决方案是纵深防御,通过应用尽可能多的层,这样您就可以增加绕过所有安全层所需的时间、精力和技能组合,从而避免陷入困境脚本会阻止黑客滥用您的服务。
加倍努力
我强烈建议你也看看 OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
祝您编码愉快,并在编码过程中保持安全 ;)
我知道有很多类似的问题,但我很困惑。
我的目的是仅从我的应用程序访问我的 API。
1)我研究了JWT,但是我有一个疑问。任何人都可以使用我的 API 登录名来访问我的应用程序。获取令牌并向服务器发送请求。对吗?
0Auth 不适合我,因为我不使用第三方应用程序。
我的想法是在客户端生成一个密钥,一个在服务器上。然后我使用客户端密钥加密我发送的参数(以特定顺序)。最后在服务器上我解密并进行比较(因为我知道参数的顺序)。
但是可以通过反向发现客户端上的密钥
你有什么建议?
你的问题
My purpose is to access my API only from my application.
首先让我们澄清开发人员之间的一个常见误解,即 WHO 与 WHAT 正在访问 API 服务器.
WHO vs WHAT 正在访问 API 服务器
为了更好地了解 WHO 与 WHAT 之间的区别正在访问您的 API 服务器,我建议您阅读我的文章 this section,但我将在此处摘录其中的几行:
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
因此,重要的一点是,您的移动应用程序的用户是 WHO,而不是 WHAT 正在访问您的 API 服务器。
OAuth
OAuth is not for me because I do not use third-party applications.
您不需要使用第三方应用程序来使用 OAuth 进行身份验证和授权 WHO 正在访问您的 API 服务器,相反我会推荐你来使用它。
智威汤逊代币
1) I studied JWT, but I have a doubt. Anyone use my API Login to access my application. get the token and send requests to the server. Right?
是的,任何人(WHO 和 WHAT)获取你的 JWT 令牌,或者就此而言,任何其他类型的秘密你实施以保护对您的 API 的访问,将能够使用它来伪装成该秘密代表您的 API 服务器的任何内容。
你的想法
My idea is to generate a key and one on the server on the client. Then I encrypt the parameters I send (in a certain order) using the client key. Finally on the server I decrypt and make the comparison (since I know the order of the parameters). But the key on the client can be discovered through a reverse
是的,可以通过移动应用程序的逆向工程发现。
可以使用移动安全框架等工具通过静态二进制分析来完成,也可以在运行时使用 Frida 或 Xposed。
Mobile Security Framework Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That's great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It's also easy to undo.
如果您还不熟悉如何通过逆向工程从移动应用程序 APK 中提取秘密,那么您可以阅读文章 How to Extract an API Key from a Mobile App with Static Binary Analysis 以更好地掌握其中一种方法.
使用JNI/NDK工具集提取隐藏在C原生代码中的秘密不容易掌握静态二进制分析,因此在运行时hook Frida或xPosed会更容易提取秘密。攻击者将使用 returns 秘密的方法挂钩您的代码,在您的情况下是加密密钥,即使它是从 Android 共享首选项中检索到的。
Using Android Studio 2.2 and higher, you can use the NDK to compile C and C++ code into a native library and package it into your APK using Gradle, the IDE's integrated build system. Your Java code can then call functions in your native library through the Java Native Interface (JNI) framework.
A SharedPreferences object points to a file containing key-value pairs and provides simple methods to read and write them. Each SharedPreferences file is managed by the framework and can be private or shared.
您可以访问此 Github 存储库 android-hide-secrets 以查看基本的 Android 移动应用程序,它向您展示了几种隐藏秘密的方法,包括 JNI/NDK 一种:
A quick demo to show several ways of hiding secrets in a mobile app, like in:
- source code
- manifest file
- gradle file
- JNI/NDK
总而言之,您的想法是有价值的,但您需要明白,它只是让绕过变得困难,而不是不可能。那么你应该使用它吗?是的,在我看来,我们应该通过应用尽可能多的层来努力进行纵深防御,因为这会使攻击者的生活更加艰难,甚至可能会阻止一些继续进行攻击。
API 深度安全
您可以先采取基本的 API 安全措施,然后再采取一些更高级的措施,如果您 API 保护的数据值得,您甚至可以使用自己的安全措施移动应用证明解决方案。
基本API安全防御
现在您了解了 who 与 what 之间的区别正在访问您的 API 服务器,您可能想去阅读 my article 有关保护 API:
的基本技术In this article we will explore the most common techniques used to protect an API, including how important it is to use HTTPS to protect the communication channel between mobile app and API, how API keys are used to identify the mobile app on each API request, how user agents, captchas and IP addresses are used for bot mitigation, and finally how user authentication is important for the mobile security and api security. We will discuss each of these techniques and discuss how they impact the business risk profile, i.e. how easy they are get around.
更高级API安全防御
您可以先阅读本系列文章,了解 Mobile API Security Techniques to understand how API keys, HMAC, OAUTH and certificate pinning 可用于增强安全性,同时了解它们如何 abused/defeated。
之后,根据您的预算和资源,您可以采用一系列不同的方法和技术来保护您的 API 服务器,我将开始列举一些最常用的方法和技术。
您可以从 reCaptcha V3, followed by Web Application Firewall(WAF) and finally if you can afford it a User Behavior Analytics(UBA) 解决方案开始。
Google reCAPTCHA V3:
reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.
...helps you detect abusive traffic on your website without any user friction. It returns a score based on the interactions with your website and provides you more flexibility to take appropriate actions.
WAF - Web Application Firewall:
A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
UBA - User Behavior Analytics:
User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
所有这些解决方案都基于负面识别模型,换句话说,它们通过识别什么是坏的而不是什么是好的来尽力区分好坏,因此它们很容易出现误报,尽管他们中的一些人使用的先进技术,如机器学习和人工智能。
因此,您可能会经常发现自己不得不放松阻止对 API 服务器的访问,以免影响好的用户。这也意味着此解决方案需要持续监控,以验证误报不会阻止您的合法用户,同时它们会适当地阻止未经授权的用户。
关于 API 为移动应用程序提供服务,可以通过实施移动应用程序证明解决方案来使用积极的识别模型,该解决方案在任何请求之前证明您的移动应用程序和设备的完整性 运行发送到 API 服务器。
移动应用认证
最后,如果您拥有资源,您可以通过构建自己的 Mobile APP Attestation 解决方案走得更远:
The role of a Mobile App Attestation service is to authenticate what is sending the requests, thus only responding to requests coming from genuine mobile app instances and rejecting all other requests from unauthorized sources.
In order to know what is sending the requests to the API server, a Mobile App Attestation service, at run-time, will identify with high confidence that your mobile app is present, has not been tampered/repackaged, is not running in a rooted device, has not been hooked into by an instrumentation framework(Frida, xPosed, Cydia, etc.), and is not the object of a Man in the Middle Attack (MitM). This is achieved by running an SDK in the background that will communicate with a service running in the cloud to attest the integrity of the mobile app and device it is running on.
On a successful attestation of the mobile app integrity, a short time lived JWT token is issued and signed with a secret that only the API server and the Mobile App Attestation service in the cloud know. In the case that attestation fails the JWT token is signed with an incorrect secret. Since the secret used by the Mobile App Attestation service is not known by the mobile app, it is not possible to reverse engineer it at run-time even when the app has been tampered with, is running in a rooted device or communicating over a connection that is the target of a MitM attack.
The mobile app must send the JWT token in the header of every API request. This allows the API server to only serve requests when it can verify that the JWT token was signed with the shared secret and that it has not expired. All other requests will be refused. In other words a valid JWT token tells the API server that what is making the request is the genuine mobile app uploaded to the Google or Apple store, while an invalid or missing JWT token means that what is making the request is not authorized to do so, because it may be a bot, a repackaged app or an attacker making a MitM attack.
A great benefit of using a Mobile App Attestation service is its proactive and positive authentication model, which does not create false positives, and thus does not block legitimate users while it keeps the bad guys at bay.
总结
在我看来,最好的解决方案是纵深防御,通过应用尽可能多的层,这样您就可以增加绕过所有安全层所需的时间、精力和技能组合,从而避免陷入困境脚本会阻止黑客滥用您的服务。
加倍努力
我强烈建议你也看看 OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
祝您编码愉快,并在编码过程中保持安全 ;)