java - 你如何保护 flutter 中的 restful api 端点

Question

我有一个调用后端 API 服务器的 flutter 移动应用程序。这需要一个 API key 。我不想将 key 嵌入到应用程序中。如何保护 API key 和端点以防止未经授权的访问。我的应用不需要用户登录。

我能想到的唯一想法是有一个直通(nodejs)服务器来调用 API 服务器，我可以将 key 存储在该服务器上，因此它不在应用程序中

但是，现在我需要保护 Node 服务器。

有关如何执行此操作的任何建议或您是否有更好的解决方案。

感谢您的建议

例子

class UserService {
  Future<List<users>> getUser() async {
    var response =
        await http.get(Uri.parse(user));
    final int statusCode = response.statusCode;
    User uData = json.decode(response.body);
    return uData
  }
}

App.js

var express = require('express');
var app = express();
var PORT = process.env.PORT || 3000;

app.get('/user', function(req, res) {
  res.json({
    "employees": [
      { "firstName":"John"  , "lastName":"Doe"   },
      { "firstName":"Anna"  , "lastName":"Smith" },
      { "firstName":"Peter" , "lastName":"Jones" }
    ]
  })
});

app.listen(PORT);

Answer 1

问题

The only idea that I can come up with is to have a pass-thru (nodejs ) server that makes the call to the API server and I can store the key on that server so it is not in the app

However, now I will need to protect the node server.

您只是将问题从保护您的 API 后端转移到必须保护直通服务器，正如我在本文 Using a Reverse Proxy to Protect Third Party APIs 中描述的那样，它实际上是一个反向代理。 :

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

逆向工程

因此，实际上，通过使用直通服务器，您隐藏了 API key ，以免直接暴露给窥探者，但任何人仍然可以通过直通服务器访问您的后端 API，即使您还保护了对通过访问 key (API key 、 token 等)获取它，因为他们将通过逆向工程技术或 MitM 攻击提取访问 key ，就像我在我写的一些文章中描述的那样:

Steal that Api Key with a Man in the Middle Attack :

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

How to Extract an API key from a Mobile App with Static Binary Analysis :

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.

我强烈建议任何人阅读上述文章，以熟悉从移动应用程序中提取 secret 的一些可能方法，因为您将学习几种隐藏这些 secret 的方法及其权衡。

可能的解决方案

Any suggestion on how to do this...

因此，任何在客户端运行并需要一些 secret 才能访问 API 的东西都可能以不同的方式被滥用，您可以在 this series 上了解更多信息关于移动 API 安全技术的文章。本文将向您介绍如何使用 API key 、用户访问 token 、HMAC 和 TLS Pinning 来保护 API 以及如何绕过它们。

要解决什么访问您的移动应用程序的问题，您需要使用我在上面提到的关于移动 API 安全技术的系列文章中提到的一个或所有解决方案，并且接受它们可以只会让未经授权的访问您的 API 服务器更难绕过，但并非不可能。

一个可能更好的解决方案

...or do you have a better solution.

可以通过使用移动应用证明解决方案来采用更好的解决方案，该解决方案将使 API 服务器知道只接收来自真实移动应用的请求并了解更多信息我建议您阅读 this answer我给出了如何为移动应用程序保护 API REST？ 的问题，尤其是加固和屏蔽移动应用程序、保护 API 服务器部分> 和一个可能更好的解决方案。

您想加倍努力吗？

在任何对安全问题的回答中，我总是喜欢引用 OWASP 基金会的出色工作。

APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

对于移动应用

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide :

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.