App's backend interface communication scheme

This article is a reference to the online materials, and combined with some of their own development experience written, do not like to spray!

In the background design of the app, a very important factor is to consider the security of communication.

Therefore, the main points we need to consider are:
1. Neither the app nor the background can save the plaintext of any user password
2. How to ensure the security of user information in the process of app and background communication

3,app the anti-compilation process


In the app, depending on security, the user's actions are divided into two categories:

1. User Login Registration operation

2. Other actions of the user
In the 1th, the user login registration operation, the user password will appear, so in this process, you must use HTTPS communication, to ensure the security of communications.
In the 2nd, the user's other operations, how to ensure the security of this part of the communication?

In my design, the public key and private key are used to ensure security. The user's ID is the public key, and the user's ID is encrypted by a certain algorithm to get an encrypted string that is the private key. When the user logs on or registers, the public key and the private key are returned to the app client over HTTPS.

But this method has a drawback, when others intercepted the URL can be reused, so there is an improved method is to add a timestamp in the parameters passed, when the time stamp found that the time has been long, it is determined that the URL has been invalidated. But how do you keep your app's time and server time in sync with timestamps? You can synchronize time with the server each time the app starts and registers, and then build a clock inside the app that timestamps in the app's internal clock to prevent users from modifying the phone's time.

Background due to the new requirements of the project development side, GO is also this interface, if you want to use the above scheme can not go through, because the end of the equivalent of a PC, if the same interface, no doubt put all the security problems exposed, familiar point front end of all know, many front-end JS script completely exposed to others, Especially the private key processing, especially complex! Ios,android can store the secret key in native text or database, but the webpage can't! But the Web page can exist in the private key session, each request to the corresponding check, it can be solved!

Finally, I hope to help everyone, thank you!

App's backend interface communication scheme