Making A Webservice Secure

2020-06-16 03:59发布

Im wrapping up my Iphone app. Im just worried about security at our web server level. The data is being pulled over to the iphone app via web services.

What security measures can i put on the web services so that I am not vulnerable?

Thanks

3条回答
混吃等死
2楼-- · 2020-06-16 04:01

A few pointers:

  • Verify all requests from the Web Service using RSA signed XML
  • Make sure everything is transmitted over SSL
  • Encrypt all data traffic. I recommend looking into the DUKPT key management system, using AES encryption.
  • Use WCF - It is the latest standard after all (also this)
  • Use some sort of web service authentication. This can be as simple as every request needing a username and password to be valid. This will slow down direct call attempts, and if you get the encryption right, you won't have to have the usernames and passwords in plain XML.
  • The most important thing is make sure the server itself is secure. If someone cracks the server, you're dead in the water, nevermind what else you do.

EDIT:

Have a look at this question for iPhone to .NET AES Interoperability.

查看更多
乱世女痞
3楼-- · 2020-06-16 04:21

It doesn't matter what you "put on" the WCF service if your WCF service is insecure. You must assume that an attacker can access your web service without the iPhone client. Is your web service vulnerable to sql injection? Are you exposing nasty functionality that could allow an attacker to read files on your server or to change another users account? Keep OWASP Injection flaws in mind. Use HTTPS to keep your clients safe from spilling information. The rest should be making sure the functionality you expose is safe.

An attacker will be able find any secret key or password you try and store in your iPhone binary or in memory. The attacker has more control over the iPhone than you do, he can jail break the device and then there is no place to hide.

查看更多
甜甜的少女心
4楼-- · 2020-06-16 04:27

You can secure your services with normal HTTP Auth, SSL if you're not using the web service payload to implement authentication. Are you the server side programmer too?

查看更多
登录 后发表回答