I have written an iPhone application communicating with a server. The app sends a message to the server and prints the result.
我写了一个与服务器通信的iPhone应用程序。应用程序向服务器发送消息并打印结果。
Now I have a question: Is there a way to know if the message sent to the server came from an iPhone?
现在我有一个问题:有没有办法知道发送到服务器的消息是否来自iPhone?
I am asking this because I want to prevent attackers from sending messages from somewhere else and flooding the server.
我问这个是因为我想阻止攻击者从其他地方发送消息并充斥服务器。
3 个解决方案
#1
1
If you use in-app purchases, then there is a full authentication chain that validates device X purchased the app. You're server can track this and then only give full responses to previously authenticated devices.
如果您使用应用内购买,则会有一个完整的身份验证链,用于验证设备X购买的应用。您的服务器可以跟踪此情况,然后仅对以前经过身份验证的设备提供完整响应。
This approach also keeps pirated apps pretty much out of the picture.
这种方法也使盗版应用程序几乎不受影响。
This approach wouldn't stop a concerted DDOS attack, but your server can at least ignore non-valid clients and thus reduce its workload significantly. Since your server is ignoring invalid requests here, it also makes it less appealing to potential non-device users and the illicit user would probably only attack you if they disliked you, as opposed to them just bogging down your server for its free web services.
这种方法不会阻止协同一致的DDOS攻击,但是您的服务器至少可以忽略无效的客户端,从而显着减少其工作负载。由于您的服务器在此处忽略了无效请求,因此它也使其对潜在的非设备用户不那么有吸引力,而非法用户可能只会在他们不喜欢您时攻击您,而不是仅仅为您的服务器免费提供Web服务。
If you don't use in app purchases, you could set up your own authentication process and give a token to the device and have your server remember said tokens, and then later only serve valid responses for requests that had the said token (appropriately hashed and salted). This approach would not stop pirated apps from using your service, but would effectively stop non-devices from using your web service (again, except for concerted hacking efforts).
如果您不使用应用程序购买,您可以设置自己的身份验证过程并为设备提供令牌并让服务器记住所述令牌,然后仅为具有所述令牌的请求提供有效响应(适当地进行哈希处理)和盐渍的)。这种方法不会阻止盗版应用程序使用您的服务,但会有效阻止非设备使用您的Web服务(同样,除了协同一致的黑客攻击)。
An even simpler approach is to have an obfuscated request format that would take a concerted effort to reverse engineer.
更简单的方法是使用混淆的请求格式,以便协同工作以进行逆向工程。
In all of these approaches, you might have to monitor your server for unusual activity and then taking appropriate steps.
在所有这些方法中,您可能必须监视服务器是否有异常活动,然后采取适当的步骤。
I would encourage you to match your efforts to the expected risk. You can spend days, months, even years, properly securing an app, make sure the cost is worth the reward.
我鼓励您将您的努力与预期风险相匹配。您可以花费数天,数月甚至数年来正确保护应用程序,确保成本值得奖励。
#2
0
You could do some form of authentication, encryption or fingerprinting, eg. using SHA, MD5, etc. That way you could make it difficult (but not impossible) for an attacker to abuse your server.
您可以进行某种形式的身份验证,加密或指纹识别,例如。使用SHA,MD5等。这样你就可以让攻击者滥用你的服务器变得困难(但并非不可能)。
#3
0
You can't tell it's from an iPhone until you have received and examined the connection on the server. If you do that, you have already opened the possibility of a DOS (Denial of service) attack due to connection exhaustion.
在收到并检查服务器上的连接之前,您无法通过iPhone告诉它。如果这样做,您已经打开了由于连接耗尽而导致DOS(拒绝服务)攻击的可能性。
#1
1
If you use in-app purchases, then there is a full authentication chain that validates device X purchased the app. You're server can track this and then only give full responses to previously authenticated devices.
如果您使用应用内购买,则会有一个完整的身份验证链,用于验证设备X购买的应用。您的服务器可以跟踪此情况,然后仅对以前经过身份验证的设备提供完整响应。
This approach also keeps pirated apps pretty much out of the picture.
这种方法也使盗版应用程序几乎不受影响。
This approach wouldn't stop a concerted DDOS attack, but your server can at least ignore non-valid clients and thus reduce its workload significantly. Since your server is ignoring invalid requests here, it also makes it less appealing to potential non-device users and the illicit user would probably only attack you if they disliked you, as opposed to them just bogging down your server for its free web services.
这种方法不会阻止协同一致的DDOS攻击,但是您的服务器至少可以忽略无效的客户端,从而显着减少其工作负载。由于您的服务器在此处忽略了无效请求,因此它也使其对潜在的非设备用户不那么有吸引力,而非法用户可能只会在他们不喜欢您时攻击您,而不是仅仅为您的服务器免费提供Web服务。
If you don't use in app purchases, you could set up your own authentication process and give a token to the device and have your server remember said tokens, and then later only serve valid responses for requests that had the said token (appropriately hashed and salted). This approach would not stop pirated apps from using your service, but would effectively stop non-devices from using your web service (again, except for concerted hacking efforts).
如果您不使用应用程序购买,您可以设置自己的身份验证过程并为设备提供令牌并让服务器记住所述令牌,然后仅为具有所述令牌的请求提供有效响应(适当地进行哈希处理)和盐渍的)。这种方法不会阻止盗版应用程序使用您的服务,但会有效阻止非设备使用您的Web服务(同样,除了协同一致的黑客攻击)。
An even simpler approach is to have an obfuscated request format that would take a concerted effort to reverse engineer.
更简单的方法是使用混淆的请求格式,以便协同工作以进行逆向工程。
In all of these approaches, you might have to monitor your server for unusual activity and then taking appropriate steps.
在所有这些方法中,您可能必须监视服务器是否有异常活动,然后采取适当的步骤。
I would encourage you to match your efforts to the expected risk. You can spend days, months, even years, properly securing an app, make sure the cost is worth the reward.
我鼓励您将您的努力与预期风险相匹配。您可以花费数天,数月甚至数年来正确保护应用程序,确保成本值得奖励。
#2
0
You could do some form of authentication, encryption or fingerprinting, eg. using SHA, MD5, etc. That way you could make it difficult (but not impossible) for an attacker to abuse your server.
您可以进行某种形式的身份验证,加密或指纹识别,例如。使用SHA,MD5等。这样你就可以让攻击者滥用你的服务器变得困难(但并非不可能)。
#3
0
You can't tell it's from an iPhone until you have received and examined the connection on the server. If you do that, you have already opened the possibility of a DOS (Denial of service) attack due to connection exhaustion.
在收到并检查服务器上的连接之前,您无法通过iPhone告诉它。如果这样做,您已经打开了由于连接耗尽而导致DOS(拒绝服务)攻击的可能性。