App Interface Security issues

How to ensure security?
How do you make the app interface secure?
There are several ways online
1. Submit user name and password, but many interfaces are public
2. Production client and service end of the same token, if it is time, then 59 points sent in the past, the server 01 points to receive, then the data error
3. Is there any way to solve the pro?

Reply content:

How to ensure security?
How do you make the app interface secure?
There are several ways online
1. Submit user name and password, but many interfaces are public
2. Production client and service end of the same token, if it is time, then 59 points sent in the past, the server 01 points to receive, then the data error
3. Is there any way to solve the pro?

First of all, HTTPS can be on the upper, anti-grasping ability is strong.
Secondly, the client and the server share a set of encryption or hashing algorithm, parameters include random authentication parameters, server identification verification.
Finally, some special validation parameters can be defined in the header (including, of course, token-like things).

However, these are only valid if the client is not being deserialized.

The first problem is that many interfaces require token or key to be called, and certainly not exclude some open interfaces. You have a username and password to call. What security, at best, is to do some of the mechanisms to prevent brute force
Second, most of the time-stamped encryption will pass parameters in the process of these cryptographic parameters are fully passed (of course, there are some private keys, this is only involved in the encryption process, and will not be passed, and will not be placed outside to let everyone see. Seems to have a two times before the development of the provider, the large number of appsecrect exposed, causing the XXX), that is, the system received a request to receive the request data to encrypt the comparison.
The third question, if you understand what is said above, should be understood.
A simple encryption process is included
Third party: appid,appsecrect[Private]
App Interface: Appid,appsecrect
Third-party calls to the app interface are passed: appid+ timestamp +md5 (appid+ timestamp +appsecrect), note that appsecrect here does not participate in the transfer when invoking the app.
The app receives a request for the appid+ timestamp in the request, obtains the Appsecrect in the store through AppID and then MD5 (appid+ timestamp +appsecrect), which is compared to the third party's MD5 encrypted string, and throws an error if different

HTTPS + sslpinning + Token

1.HTTPS
2. Signature mechanism (Token)
3. Interface content encryption (RES/AES)
4.oauth2

Public key transfer private key encryption

