Submit User's privacy data
Be sure to use the POST request to submit the user's privacy data
All parameters of the GET request are exposed directly to the URL
The requested URL is typically recorded in the server's access log
Server access logs are one of the key objects of hacker attacks
User's privacy data
Login Password
Account
... ...
Data security
Simply submitting a user's privacy data with a POST request is still not a complete solution to the security issue
You can use software (such as Charles) to set up a proxy server to intercept request data for viewing your phone
Therefore: When submitting the user's privacy data, must not be explicitly submitted, to encrypt processing and then submit
Common cryptographic algorithms
<code
class
=
"hljs tex"
>MD5 \ SHA \ DES \ 3DES \ RC2和RC4 \ RSA \ IDEA \ DSA \ AES</code>
Selection of cryptographic algorithms
General companies will have a set of their own encryption scheme, according to the requirements of the company interface documents to encrypt
MD5 encryption
What is MD5
Full name is message Digest algorithm 5, translated as "Message Digest algorithm 5th Edition"
Effect: Generates a unique 128-bit hash value (32 characters) for the input information
Features of MD5
Input two different plaintext does not get the same output value
According to the output value, the original plaintext cannot be obtained, i.e. its process is irreversible
Application of MD5
Because the MD5 encryption algorithm has good security, and free, so the encryption algorithm is widely used
Mainly used in digital signature, file integrity verification and password encryption and other aspects
MD5 Decryption Website: http://www.cmd5.com
MD5 improvements
Now the MD5 is no longer absolutely safe, in this, can be slightly improved MD5 to increase the difficulty of decryption
Add Salt: Insert a random string in the fixed position of the plaintext before MD5
First encryption, after the chaos sequence: first MD5 the plaintext, and then the encryption of the MD5 string of characters to disorderly order
... ...
In short, the purpose is: hackers even if the database is compromised, can not decrypt the correct plaintext
Network Data Encryption Scheme
1> Encrypted objects: Privacy data, such as passwords, bank information
2> Encryption Scheme
* Submit privacy data, must use POST request
* Encrypt private data using cryptographic algorithms, such as MD5
3> encryption Enhancement: In order to increase the difficulty of the crack
* 2 Md5:md5 (MD5 (pass)) for clear text; First, the clear text is sprinkled with salt, then the MD5:MD5 (pass. $salt)
2. Local Storage encryption
1> Encrypted objects: Important data, such as game data
3. Code Security issues
1> now has tools and techniques to decompile source code: Reverse Engineering
* The anti-compilation is pure C language, the readability is not high
* At the very least, you can know which frames are used in the source code.
2> reference book: "Reverse engineering of iOS"
3> Solution: Confusing code before publishing
* Before confusing
<code
class
=
"hljs objectivec"
>
@interface
HMPerson :NSObject
- (
void
)run;
- (
void
)eat;
@end
</code>
After confusion
<code
class
=
"hljs objectivec"
>
@interface
A :NSObject
- (
void
)a;
- (
void
)b;
@end
</code>
MD5 Encryption Instance
Import encrypted files
<code
class
=
"hljs objectivec"
>#
import
"ViewController.h"
#
import
"MBProgressHUD.h"
#
import
"NSString+Hash.h"
@interface
ViewController ()
@property
(weak, nonatomic) IBOutlet UITextField *username;
@property
(weak, nonatomic) IBOutlet UITextField *pwd;
- (IBAction)login;
@end
@implementation
ViewController
- (
void
)viewDidLoad
{
[
super
viewDidLoad];
// Do any additional setup after loading the view, typically from a nib.
}
- (
void
)touchesBegan:(NSSet *)touches withEvent:(UIEvent *)event
{
[self.view endEditing:YES];
}
- (IBAction)login {
// 1.用户名
NSString *usernameText = self.username.text;
if
(usernameText.length ==
0
) {
[MBProgressHUD showError:@
"请输入用户名"
];
return
;
}
// 2.密码
NSString *pwdText = self.pwd.text;
if
(pwdText.length ==
0
) {
[MBProgressHUD showError:@
"请输入密码"
];
return
;
}
// 增加蒙板
[MBProgressHUD showMessage:@
"正在拼命登录中...."
];
// 3.发送用户名和密码给服务器(走HTTP协议)
// 创建一个URL : 请求路径
NSURL *url = [NSURL URLWithString:@
"http://218.83.161.124:8080/job/login"
];
// 创建一个请求
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];
// 5秒后算请求超时(默认60s超时)
request.timeoutInterval =
15
;
request.HTTPMethod = @
"POST"
;
#warning 对pwdText进行加密
pwdText = [self MD5Reorder:pwdText];
// 设置请求体
NSString *param = [NSString stringWithFormat:@
"username=%@&pwd=%@"
, usernameText, pwdText];
NSLog(@
"%@"
, param);
// NSString --> NSData
request.HTTPBody = [param dataUsingEncoding:NSUTF8StringEncoding];
// 设置请求头信息
[request setValue:@
"iPhone 6"
forHTTPHeaderField:@
"User-Agent"
];
// 发送一个同步请求(在主线程发送请求)
// queue :存放completionHandler这个任务
NSOperationQueue *queue = [NSOperationQueue mainQueue];
[NSURLConnection sendAsynchronousRequest:request queue:queue completionHandler:
^(NSURLResponse *response, NSData *data, NSError *connectionError) {
// 隐藏蒙板
[MBProgressHUD hideHUD];
// 这个block会在请求完毕的时候自动调用
if
(connectionError || data == nil) {
// 一般请求超时就会来到这
[MBProgressHUD showError:@
"请求失败"
];
return
;
}
// 解析服务器返回的JSON数据
NSDictionary *dict = [NSJSONSerialization JSONObjectWithData:data options:NSJSONReadingMutableLeaves error:nil];
NSString *error = dict[@
"error"
];
if
(error) {
[MBProgressHUD showError:error];
}
else
{
NSString *success = dict[@
"success"
];
[MBProgressHUD showSuccess:success];
}
}];
}
/**
* MD5($pass.$salt)
*
* @param text 明文
*
* @return 加密后的密文
*/
- (NSString *)MD5Salt:(NSString *)text
{
// 撒盐:随机地往明文中插入任意字符串
NSString *salt = [text stringByAppendingString:@
"aaa"
];
return
[salt md5String];
}
/**
* MD5(MD5($pass))
*
* @param text 明文
*
* @return 加密后的密文
*/
- (NSString *)doubleMD5:(NSString *)text
{
return
[[text md5String] md5String];
}
/**
* 先加密,后乱序
*
* @param text 明文
*
* @return 加密后的密文
*/
- (NSString *)MD5Reorder:(NSString *)text
{
NSString *pwd = [text md5String];
// 加密后pwd == 3f853778a951fd2cdf34dfd16504c5d8
NSString *prefix = [pwd substringFromIndex:
2
];
NSString *subfix = [pwd substringToIndex:
2
];
// 乱序后 result == 853778a951fd2cdf34dfd16504c5d83f
NSString *result = [prefix stringByAppendingString:subfix];
NSLog(@
"\ntext=%@\npwd=%@\nresult=%@"
, text, pwd, result);
return
result;
}
@end
</code>
iOS Development-Network data Security encryption (MD5)