Submit User's privacy data
Be sure to use the POST request to submit the user's privacy data
All parameters of the GET request are exposed directly to the URL
The requested URL is typically recorded in the server's access log
Server access logs are one of the key objects of hacker attacks
User's privacy data
Login Password
Account
... ...
Data security
Simply submitting a user's privacy data with a POST request is still not a complete solution to the security issue
You can use software (such as Charles) to set up a proxy server to intercept request data for viewing your phone
Therefore: When submitting the user's privacy data, must not be explicitly submitted, to encrypt processing and then submit
Common cryptographic algorithms
MD5 \ SHA \ DES \ 3DES \ RC2和RC4 \ RSA \ IDEA \ DSA \ AES
Selection of cryptographic algorithms
General companies will have a set of their own encryption scheme, according to the requirements of the company interface documents to encrypt
MD5 encryption
What is MD5
Full name is message Digest algorithm 5, translated as "Message Digest algorithm 5th Edition"
Effect: Generates a unique 128-bit hash value (32 characters) for the input information
Features of MD5
Input two different plaintext does not get the same output value
According to the output value, the original plaintext cannot be obtained, i.e. its process is irreversible
Application of MD5
Because the MD5 encryption algorithm has good security, and free, so the encryption algorithm is widely used
Mainly used in digital signature, file integrity verification and password encryption and other aspects
MD5 Decryption Website: http://www.cmd5.com
MD5 improvements
Now the MD5 is no longer absolutely safe, in this, can be slightly improved MD5 to increase the difficulty of decryption
Add Salt: Insert a random string in the fixed position of the plaintext before MD5
First encryption, after the chaos sequence: first MD5 the plaintext, and then the encryption of the MD5 string of characters to disorderly order
... ...
In short, the purpose is: hackers even if the database is compromised, can not decrypt the correct plaintext
Network Data Encryption Scheme
1> Encrypted objects: Privacy data, such as passwords, bank information
2> Encryption Scheme
* Submit privacy data, must use POST request
* Encrypt private data using cryptographic algorithms, such as MD5
3> encryption Enhancement: In order to increase the difficulty of the crack
* 2 Md5:md5 (MD5 (pass)) for clear text; First, the clear text is sprinkled with salt, then the MD5:MD5 (pass. $salt)
2. Local Storage encryption
1> Encrypted objects: Important data, such as game data
3. Code Security issues
1> now has tools and techniques to decompile source code: Reverse Engineering
* The anti-compilation is pure C language, the readability is not high
* At the very least, you can know which frames are used in the source code.
2> reference book: "Reverse engineering of iOS"
3> Solution: Confusing code before publishing
* Before confusing
@interface HMPerson :NSObject- (void)run;- (void)eat;@end
After confusion
@interface A :NSObject- (void)a;- (void)b;@end
MD5 Encryption Instance
Import encrypted files
#import "ViewController.h" #import "MBProgressHUD.h" #import "nsstring+hash.h" @interface Viewcontroller () @property ( Weak, nonatomic) Iboutlet Uitextfield *username; @property (weak, nonatomic) Iboutlet Uitextfield *pwd;-(ibaction) login; @end @implementation viewcontroller-(void) viewdidload{[Super Viewdidload]; Do any additional setup after loading the view, typically from a nib.} -(void) Touchesbegan: (Nsset *) touches withevent: (uievent *) event{[Self.view Endediting:yes];} -(ibaction) Login {//1. User name NSString *usernametext = Self.username.text; if (Usernametext.length = = 0) {[Mbprogresshud showerror:@ "Please enter user name"]; Return }//2. Password NSString *pwdtext = Self.pwd.text; if (Pwdtext.length = = 0) {[Mbprogresshud showerror:@ "Please enter the password"]; Return }//Add mask [Mbprogresshud showmessage:@ "is desperately logged in ...."]; 3. Send username and password to server (go HTTP protocol)//create a URL: request path Nsurl *url = [Nsurl urlwithstring:@ "Http://218.83.161.124:8080/job/logi n "]; //Create a request nsmutableurlrequest *request = [Nsmutableurlrequest Requestwithurl:url]; 5 Seconds after count request Timeout (default 60s timeout) Request.timeoutinterval = 15; Request. HttpMethod = @ "POST", #warning encrypt pwdtext pwdtext = [self md5reorder:pwdtext]; Set the request body nsstring *param = [NSString stringwithformat:@ "username=%@&pwd=%@", Usernametext, Pwdtext]; NSLog (@ "%@", param); NSString--NSData request. Httpbody = [param datausingencoding:nsutf8stringencoding]; Set the request header information [requesting setvalue:@ "IPhone 6" forhttpheaderfield:@ "User-agent"]; Send a sync request (send a request on the main thread)//queue: Store Completionhandler this task nsoperationqueue *queue = [Nsoperationqueue mainqueue]; [Nsurlconnection sendasynchronousrequest:request queue:queue Completionhandler: ^ (nsurlresponse *response, NSData *da TA, Nserror *connectionerror) {//Hide mask [Mbprogresshud Hidehud]; This block will automatically call if (Connectionerror | | | data = nil) {//General request timed out when the request is complete [Mbprogresshud showerror:@ "request Failed"]; Return }//Parse the JSON data returned by the server nsdictionary *dict = [Nsjsonserialization jsonobjectwithdata:data options:nsjsonreadingm Utableleaves Error:nil]; NSString *error = dict[@ "Error"]; if (error) {[Mbprogresshud showerror:error]; } else {NSString *success = dict[@ "Success"]; [Mbprogresshud showsuccess:success]; } }];} /** * MD5 ($pass. $salt) * * @param text plaintext * * @return encrypted ciphertext */-(NSString *) Md5salt: (NSString *) text{//sprinkle salt: randomly to clear text Insert any string nsstring *salt = [text stringbyappendingstring:@ "AAA"]; return [salt md5string];} /** * MD5 (MD5 ($pass)) * * @param text plaintext * * @return encrypted ciphertext */-(NSString *) doubleMD5: (NSString *) text{return [[Tex T md5string] md5string];} /** * First encryption, after the chaos * * @param text plaintext * * @return encrypted ciphertext */-(NSString *) Md5reorder: (NSString *) text{nsstring *pwd = [te XT Md5string]; encrypted PWD = = 3f853778a951fd2cdf34dfd16504c5d8 NSString *prefix = [pwdSubstringfromindex:2]; NSString *subfix = [pwd substringtoindex:2]; After the disorderly order result = = 853778a951fd2cdf34dfd16504c5d83f NSString *result = [prefix stringbyappendingstring:subfix]; NSLog (@ "\ntext=%@\npwd=%@\nresult=%@", text, pwd, result); return result;} @end
IOS Data Encryption scheme