Mobile app communication protocol and the choice of serialization mode

Simply list the different protocols, serialization methods, and so on.

HTTP or private protocol? HTTP protocol Advantages/disadvantages:

On the server side only need to provide a copy of the interface, browser and app sharing. Embedding a Web view in the app is also easy.

There are a number of tools related to the HTTP protocol. Developers are very convenient. such as load balancing, the direct nginx to fix.

For example, the number of calls to count an interface, quite convenient, there are now analysis tools.

Stress testing is also very convenient.

The HTTP protocol may be vulnerable to an HTTP server, but the vulnerability is really rare.

The phone can set up an HTTP proxy, which may be critical for some users. If it is a private protocol, setting up an HTTP proxy will not work.

Private protocol Advantages/disadvantages:

More complex, you can do a layer of encryption yourself.

There is a cost to reverse, and an attacker may abandon it.

Different languages, each platform to develop a set of time-consuming labor.

Your own implementation of the protocol is likely to have loopholes, to prevent malicious attacks.

Save traffic.

HTTP tunnel may be needed under Wmwap.

Serialization mode selection, JSON or PROTOBUF, etc.? Json:

Common data Interchange Format, developers are very familiar with the three-party tool library a lot.

The volume of data is relatively large.

Without versioning, the front and back end requires a certain amount of communication costs.

Xml:

Large size, in the HTTP service, belongs to the discarded format.

Protobuf/thrift:

Version upgrades are easy and basically no burden.

Small size.

There is no official standard for communication protocols, and third-party implementations can be confusing.

If it is a tool-generated code, there is basically no serialized vulnerability.

It is said that Protobuf is used.

Other serialization methods, or their own custom serialization:

May encounter a bug that is serialized;

The issue of multi-lingual support;

The problem of serialization vulnerability;

How to deal with Cmwap?

Seemingly cmwap users are still a lot of.

Http://s.weibo.com/weibo/cmwap

It seems to support Cmwap:

Http://weixin.qq.com/cgi-bin/readtemplate?promote=2&nav=contact&t=weixin_faq_networkflow

http://www.zhihu.com/question/19796744 A 11-year Cmwap and cmnet of the user ratio of Dongdong.

If it's your own custom protocol, you can do the HTTP tunnel, which is to start by sending an HTTP header to trick the Mobile gateway.

TODO: There are some cmwap HTTP tunnel articles on the web that should theoretically be possible.

HTTP or HTTPS?

Security Considerations:

HTTPS is more secure than HTTP.

For apps, a big security threat is fake WiFi hotspots, which are easily caught by HTTP.

Although the OpenSSL vulnerability makes people realize that HTTPS is not so secure. But for the vast majority of people, HTTPS is still very safe, because the attack is very successful.

But even if HTTPS is not so safe, refer to: How much harm can traffic hijacking have?

HTTPS is slower than HTTP;

The cost of the certificate;

Deployment of the problem, the certificate should be placed on the CDN, or not get the user's real IP;

See a data, in China 20% of the region's wireless users with HTTPS is not connected (authenticity, technical unknown).

is the whole station HTTPS or partial HTTPS?

HTTPS development is more complex than HTTP;

Summarize:

People think, for most of the APP,HTTP protocol +json format is a better choice.

Because this is the easiest to maintain development, the cost is also relatively low.