java如何在flutter中保护restful api端点

4 月，3 周 Questions & Answers 105

我有一个Flatter移动应用程序，可以调用后端API服务器。这需要一个API密钥。我不想将密钥嵌入应用程序。如何保护API密钥和端点以防未经授权的访问。我的应用不需要用户登录

我唯一能想到的想法是有一个pass-thru（nodejs）服务器来调用API服务器，我可以将密钥存储在该服务器上，这样它就不会出现在应用程序中

但是，现在我需要保护节点服务器

有没有关于如何做到这一点的建议，或者你有没有更好的解决方案

谢谢你的建议

范例

class UserService {
  Future<List<users>> getUser() async {
    var response =
        await http.get(Uri.parse(user));
    final int statusCode = response.statusCode;
    User uData = json.decode(response.body);
    return uData
  }
}

应用程序。js

var express = require('express');
var app = express();
var PORT = process.env.PORT || 3000;

app.get('/user', function(req, res) {
  res.json({
    "employees": [
      { "firstName":"John"  , "lastName":"Doe"   },
      { "firstName":"Anna"  , "lastName":"Smith" },
      { "firstName":"Peter" , "lastName":"Jones" }
    ]
  })
});

app.listen(PORT);

# 1 楼答案

问题

The only idea that I can come up with is to have a pass-thru (nodejs ) server that makes the call to the API server and I can store the key on that server so it is not in the app

However, now I will need to protect the node server.

您已经将问题从保护API后端转移到必须保护直通服务器，正如我在本文中描述的那样，它实际上是一个反向代理Using a Reverse Proxy to Protect Third Party APIs：

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

逆向工程

因此，事实上，通过使用直通服务器，你可以隐藏你的API密钥，使其不会直接暴露在窥探者的眼睛中，但任何人仍然可以通过直通服务器访问你的后端API，即使你还通过访问密钥（API密钥、令牌等）保护对它的访问，因为他们将通过逆向工程技术或MitM攻击提取访问密钥，就像我在一些文章中描述的：

Steal that Api Key with a Man in the Middle Attack

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

How to Extract an API key from a Mobile App with Static Binary Analysis

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.

我真的建议任何人阅读上述文章，熟悉从移动应用程序中提取秘密的一些可能方法，因为你将学习几种隐藏这些秘密的方法及其利弊

可能的解决方案

Any suggestion on how to do this...

因此，任何在客户端运行并需要一些秘密才能访问API的东西都可能以不同的方式被滥用，您可以从this series篇关于移动API安全技术的文章中了解更多信息。本文将向您介绍如何使用API密钥、用户访问令牌、HMAC和TLS固定来保护API，以及如何绕过它们

要解决什么是访问你的移动应用的问题，你需要使用关于移动API安全技术的系列文章中提到的一个或所有解决方案，我在上面提到了这些解决方案，并承认它们只会使未经授权访问你的API服务器变得更难绕过，但并非不可能

一个可能更好的解决方案

...or do you have a better solution.

通过使用移动应用认证解决方案，可以使用更好的解决方案，该解决方案将使API服务器知道仅接收来自正版移动应用的请求，并了解更多信息。我建议您阅读我提出的问题this answer如何确保移动应用的API REST，尤其是增强和屏蔽移动应用程序，保护API服务器和可能更好的解决方案部分

你想多跑一英里吗

在回答任何一个安全问题时，我总是喜欢引用OWASP基金会的优秀作品。

对于API

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

对于移动应用

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

共 (1) 个答案

# 1 楼答案

问题

The only idea that I can come up with is to have a pass-thru (nodejs ) server that makes the call to the API server and I can store the key on that server so it is not in the app

However, now I will need to protect the node server.

您已经将问题从保护API后端转移到必须保护直通服务器，正如我在本文中描述的那样，它实际上是一个反向代理Using a Reverse Proxy to Protect Third Party APIs：

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

逆向工程

因此，事实上，通过使用直通服务器，你可以隐藏你的API密钥，使其不会直接暴露在窥探者的眼睛中，但任何人仍然可以通过直通服务器访问你的后端API，即使你还通过访问密钥（API密钥、令牌等）保护对它的访问，因为他们将通过逆向工程技术或MitM攻击提取访问密钥，就像我在一些文章中描述的：

Steal that Api Key with a Man in the Middle Attack

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

How to Extract an API key from a Mobile App with Static Binary Analysis

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.

我真的建议任何人阅读上述文章，熟悉从移动应用程序中提取秘密的一些可能方法，因为你将学习几种隐藏这些秘密的方法及其利弊

可能的解决方案

Any suggestion on how to do this...

因此，任何在客户端运行并需要一些秘密才能访问API的东西都可能以不同的方式被滥用，您可以从this series篇关于移动API安全技术的文章中了解更多信息。本文将向您介绍如何使用API密钥、用户访问令牌、HMAC和TLS固定来保护API，以及如何绕过它们

要解决什么是访问你的移动应用的问题，你需要使用关于移动API安全技术的系列文章中提到的一个或所有解决方案，我在上面提到了这些解决方案，并承认它们只会使未经授权访问你的API服务器变得更难绕过，但并非不可能

一个可能更好的解决方案

...or do you have a better solution.

通过使用移动应用认证解决方案，可以使用更好的解决方案，该解决方案将使API服务器知道仅接收来自正版移动应用的请求，并了解更多信息。我建议您阅读我提出的问题this answer如何确保移动应用的API REST，尤其是增强和屏蔽移动应用程序，保护API服务器和可能更好的解决方案部分

你想多跑一英里吗
在回答任何一个安全问题时，我总是喜欢引用OWASP基金会的优秀作品。

对于API

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

对于移动应用

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

Python中文网

有 Java 编程相关的问题?