javascript - Prevent access to web app outside of wrapper apps - Stack Overflow

admin管理员组

文章数量:1325380

I am creating a web app that I will wrap in a web view for Android and iOS devices. The web view will be very simple code basically pointing at my web app. For example: www.myapp

I want the users to only be able to access the web app (use it) after they bought the apps in appstore. How can I prevent users from depiling the source and go to the URL directly?

I am creating a web app that I will wrap in a web view for Android and iOS devices. The web view will be very simple code basically pointing at my web app. For example: www.myapp.

I want the users to only be able to access the web app (use it) after they bought the apps in appstore. How can I prevent users from depiling the source and go to the URL directly?

• javascript
• android
• ios
• spring
• jakarta-ee

Share Improve this question Follow asked Apr 1, 2014 at 21:36 LuckyLukeLuckyLuke 49.1k8787 gold badges279279 silver badges447447 bronze badges 5

• Sorry if I'm missing something really obvious, but how would a user get the code to depile without first buying the app? Are you asking about what to do if one user buys it, depiles it, and shares the URL? – guest Commented Apr 1, 2014 at 21:39
• possible duplicate of Django: Only accept requests ing from my applications – Paulw11 Commented Apr 1, 2014 at 22:07
• 2 A word of warning - Apple has a history of rejecting apps that simply wrap a website in a UIWebview - your app needs to offer functionality above what you could do with a web browser - e.g. make use of the camera, location services etc – Paulw11 Commented Apr 1, 2014 at 22:09
• @Paulw11 I use HTTP Basic + SSL. – LuckyLuke Commented Apr 2, 2014 at 18:20
• hi @LuckyLuke , your purpose is just hiding your url? – CompEng Commented Apr 8, 2014 at 12:44

Add a ment  | 

6 Answers 6

Sorted by: Reset to default 2

There is no way from preventing the user from obtaining the URL and accessing it directly, if he really want's to, and then positing it in a online forum.

There is a way to prevent this particular scenario, but it still does not protect the application pletely. The idea is to ship the application with a secret key in it's binary that get's used to sign every request sent from your site, see here for some details.

This way you can ensure that the request came from someone who had the API key, most likely your app. This would prevent the scenario where the URL gets posted on a forum and the app gets accessed directly via web browser.

This mechanism is normally used to protect JSON APIs, but can also be used to protect access to web pages from a web view app.

But this does not prevent someone from inspecting the binary to get to the API key, and produce another app or program that signs requests with it, creating a clone of your app.

For example apps like twitter had their keys exposed in blog posts.

So it's a tradeoff of security versus convenience: if you want to cover the URL being access from browsers, use an API key and periodically scan the android store for clone applications and report them to be shut down. This should be infrequent and easily spotted, and also users will report it to you.

If you want more security then put the app up for free, and manage login/payments yourself: it's much more plicated, and will discourage users meaning less sales. Using an API key seems to be the best security/convenience tradeoff.

This question reminds me of another discussion here in which I participated in with a similar problem. The accepted answer have quite an extensive list of things that you can try.

For my own answer there, this is the short summary from the "Verifying Back-End Calls from Android Apps" article) that I linked:

You use the GoogleAuthUtil class, available through Google Play services, to retrieve a string called an “ID Token”. You send the token to your back end and your back end can use it to quickly and cheaply verify which app sent it and who was using the app.

In general, the approach is to add some code to check that the requests ing to your URL are produced by "authenticated/paid" users (which in the Android blog example is by checking their Google Play Services account).

Client side verification would be useless, because, if anyone knows the URL will be able to access it. And, no matter how much code obfuscation you use, it will be never hidden from a determinant hacker. Furthermore hacking is even not necessary if the request is route through a proxy, log will revealed URL anyway.

You should do a server side verification and have a simple script to see where those request are ing from.

Every HTTP request provide some information about the client. You can look into that information to determine where the request exactly came from. To add little bit more security you can modify and set your own value in HTTP header from client side.

Implementation would be different in Android and for IOS as the challenges are also different .

Android

On Android, it is relatively easy to publish an app into market, and if anyone knows your url, they can do the same trick with HTTP request and release another app. To prevent that:-

Every android app is signed by a certificate, you can send signature value with HTTP header verify that on server side. See this for how to get signature from android app.

Remember that app signature is unique and this is how Google Play store identity an app, So their is no way another developer will get a hold on that. if it doesn't satisfy you add additional header value (some secret) and change it every with every update.

HttpURLConnection and other HTTP API from Android or from Apache provide support to do that.

iOS

See this for how to modify http header on iOS.

In this case one problem is still exist is anyone can create an iOS app and do same but, on iOS, people can not simply do that as every app goes through lengthy Apple verification process. You can even have rotating secret, or generating it on the fly, with every new app update or http request, which only your server will be able to verify to make things more difficult.

I believe you should use OAuth 2 to restrict access to your web server.

This question maybe of help: Options to securely authenticate mobile access using OAuth2

You can download from a webservice the wrapped URL (use https) and that way the URL will never be inside the app to depile it.

Anyway, a web request could be monitored by a sniffer and possibly still retrieved.

You can try these ways :

1. Use shrinker, optimizer, obfuscator, and preverifier class like PROGUARD
2. Divide your web site url in more pieces and put it in your strings.xml
3. Write encryption like AES or DES to encrypt your strings of url in strings.xml
4. On runtime you can decrypt,bine your url string and set it to a variable. And when you use it then you can set that variable to null so people cant get it on memory

I think this hides your string and people cant find it easily,

本文标签： javascriptPrevent access to web app outside of wrapper appsStack Overflow