App's backend interface communication scheme

Source: Internet
Author: User

This article is a reference to the online materials, and combined with some of their own development experience written, do not like to spray!

In the background design of the app, a very important factor is to consider the security of communication.

Therefore, the main points we need to consider are:
1. Neither the app nor the background can save the plaintext of any user password
2. How to ensure the security of user information in the process of app and background communication

3,app the anti-compilation process


In the app, depending on security, the user's actions are divided into two categories:

1. User Login Registration operation

2. Other actions of the user
In the 1th, the user login registration operation, the user password will appear, so in this process, you must use HTTPS communication, to ensure the security of communications.
In the 2nd, the user's other operations, how to ensure the security of this part of the communication?

In my design, the public key and private key are used to ensure security. The user's ID is the public key, and the user's ID is encrypted by a certain algorithm to get an encrypted string that is the private key. When the user logs on or registers, the public key and the private key are returned to the app client over HTTPS.

But this method has a drawback, when others intercepted the URL can be reused, so there is an improved method is to add a timestamp in the parameters passed, when the time stamp found that the time has been long, it is determined that the URL has been invalidated. But how do you keep your app's time and server time in sync with timestamps? You can synchronize time with the server each time the app starts and registers, and then build a clock inside the app that timestamps in the app's internal clock to prevent users from modifying the phone's time.

Background due to the new requirements of the project development side, GO is also this interface, if you want to use the above scheme can not go through, because the end of the equivalent of a PC, if the same interface, no doubt put all the security problems exposed, familiar point front end of all know, many front-end JS script completely exposed to others, Especially the private key processing, especially complex! Ios,android can store the secret key in native text or database, but the webpage can't! But the Web page can exist in the private key session, each request to the corresponding check, it can be solved!

Finally, I hope to help everyone, thank you!

App's backend interface communication scheme

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.