对于正常的api调用,使用Charles等网络调试代理就能追踪到。
所以上行数据和下行数据被加密以避免相同。
但是当我检查一些应用程序时,它也隐藏了 api 的 url。如何在 iOS 中实现同样的效果。
例子:
注意:也通过在我的手机中添加 ssl 证书进行检查。仍然没有显示。
最佳答案
此机制称为 SSL Pinning。
理论:
What is Pinning? .
Pinning is an optional mechanism that can be used to improve the security of a service or site that relies on SSL Certificates. Pinning allows you to specify a cryptographic identity that should be accepted by users visiting your site.
That sounds complex, but it’s actually pretty simple. Let’s start by breaking down that down:
A cryptographic identity is a file that can prove the identity of a server/host through cryptography. An SSL certificate, a public key, and a CSR are all examples of a cryptographic identity. That pin would then tell the client to remember that identity (or identities) and only accept those when establishing future secure connections.
So, if you wanted to use pinning, you would configure your server (in some situations – think internal systems – you may also configure the clients) and specify what you wanted to pin. Browsers and other clients would evaluate the pinned identity on every connection. If any other identity was presented, the client would abort the connection (which was happened in your case with Charles Proxy).
To think big picture: an SSL connection tells the client to make an encrypted connection with any identity matching that host. Pinning tells the client a specific identity they should accept when making a secure connection.
So, for example, if our site is example.com, we could pin an identity. When a user visits our site, they would receive the pinned information. On a future visit, their browser would take action if we tried to get the client to use a different identity.
练习:
服务器证书将保存在应用程序包中的 SSL pinning 的主 key 。然后,当客户端从服务器收到证书时,它会在建立连接之前比较 2 个证书以确保它们相同。
Alamofire HTTP 网络库具有用于 SSL 固定的内置功能并且非常易于使用:
let pathToCert = Bundle.main.path(forResource: "name-of-cert-file", ofType: "cer")
let localCertificate: NSData = NSData(contentsOfFile: pathToCert!)!
let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
validateCertificateChain: true,
validateHost: true
)
let serverTrustPolicies = [
"my-server.com": serverTrustPolicy
]
let sessionManager = SessionManager(
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
关于ios - 如何提供高级 API 调用安全性 - iOS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52438330/