App backend design (4) -- Communication Security

An important factor in app background design is the security of communication.

 

Therefore, we need to consider the following points:

1. In the app and the background, no plaintext of any user password can be saved

2. How to ensure the security of user information during app and background Communication

 

In apps, user operations are classified into two types based on security considerations:

1. User Login Registration

2. Other user operations

 

In the first step, the user password will appear during user login and registration. Therefore, in this process, you must use https communication to ensure communication security.

 

Second, how can we ensure the security of this part of communication through other user operations?

 

In my design, public keys and private keys are used to ensure security. The User id is the public key, and the user id is encrypted using a certain algorithm to obtain an encrypted string that is the private key. After a user logs on or registers, the public key and private key are returned to the app client through https.

 

The process is as follows:

 

 

<? Php/*** generates VerfyCode by encrypting URLs and parameters, for example, the url for retrieving a user's feed is * http://www.test.com/api/home/feed/count/1/page/20/id/1 ** the parameter passed by the api url for http://www.test.com/api/home/feed/ * Is param = array ("id" => 1, "page" => 20, "count" => 1) ** in the parameters passed to the server by the app, add the VerfyCode generated using generateVerfyCode, * So the url sent to the server should be * http://www.test.com/api/home/feed/count/1/page/20/id/1/verifycode/95aa9066d5801815a57bbe537280406b5516cb2a ** the server generates VerfyCode Based on the url and parameters with the same algorithm, * compare the VerfyCode passed by the app with the VerfyCode generated by the server, you will know whether the url has been changed during transmission ** @ param $ apiUrl api url * @ param $ param url included in the parameter * @ param $ token obtained by id private Key */function generateVerfyCode ($ apiUrl, $ param, $ token) {$ params_data = ""; $ params_data. = $ apiUrl; ksort ($ param); foreach ($ param as $ key => $ value) {$ params_data = $ params_data. $ key. $ value;} $ params_data = $ params_data. $ token; return sha1 ($ params_data);} echo generateVerfyCode ("http://www.test.com/api/home/feed/", array ("id" => 1, "page" => 20, "count" => 1), "23423242342432"); // result 95aa9066d5801815a57bbe537280406b5516cb2a

 

However, this method has a disadvantage. When someone intercepts this url, it can be used again. Therefore, an improved method is to add a timestamp to the passed parameter, when it is found that the timestamp has been a long time since now, it is determined that the url has expired. But how can I ensure the time synchronization between the app time and the server time with the timestamp? You can set a clock in the app every time the app starts and registers for login and Synchronizes time with the server. The timestamp is obtained from the internal clock of the app to prevent users from modifying the mobile phone time.

 

App back-end articles directory

 

 

 

[Author] Zeng jiansheng

[Author email] h6k65@126.com

[Author QQ] 190678908

[Sina Weibo] @ newjueqi

[Blog] http://blog.csdn.net/newjueqi

Http://blog.sina.com.cn/h6k65