我正在开发一个Android应用程序,它向我的Web服务发出请求。我从Android应用程序获取数据的方法是静态地在代码后面传递一个URL。代码中的此URL对用户不可见。是否有可能向用户显示我的URL并可能允许该用户入侵我的Web服务?
我在StackOverflow找到了一个解决方案,其中提到我应该使用字符串资源静态保存我的URL。但是我也遇到了一个问题,即如果生根,可以在文件管理器中打开Android上的资源。
如果有人能给我一个小费,可以开始:
通过Web服务在PHP中调用函数。
public function getStudents(){ //获取学生JSON的代码 }
隐藏在Android中调用网络服务的网址。
答案 0 :(得分:0)
如果我理解正确,您希望用户(拥有该应用的任何用户)在您的应用中查看某些数据,但无法直接下载。这意味着,与此同时,您希望用户能够访问数据而无法访问数据,这显然是不可能的。内容产业已经尝试过无数的DRM方案。你能做什么(以及DRM做了什么)会让数据更加烦人。
用户可以通过嗅探(拦截)流量来获取URL。为了防止这种情况,您应该使用SSL,并包含一个额外的检查来限制将允许的SSL证书。这将阻止用户在手机上安装自己的CA,然后使用MitM工具获取URL。
然后,您需要隐藏URL /密钥/您使用的任何内容,以便将您的应用与恶意用户区分开来,并尽可能深入您的应用。当然要将它隐藏在代码中,并确保使用ProGuard使其更难阅读。
此外,使用自定义用户代理,自定义HTTP标头和其他有趣的东西,检查服务器端返回一般错误消息,以便攻击者不知道你是如何发现他没有使用你的应用程序,并隐藏在您的应用中添加这些代码的代码。 (其中一些可以使用静态调用设置,因此您几乎可以在任何地方隐藏它。)
答案 1 :(得分:0)
public class WebServis extends AppCompatActivity {
ProgressDialog pDialog;
// Web Servisimizdeki Namspace alanı
private final String _Namspace = "http://tempuri.org/";
// Web Servimizdeki Method ismi
private final String _MethodName = "methodname";
// Namspace ile Method isminin birleşimi
private final String _Action = "http://tempuri.org/"+_MethodName;
// Web Servisimizin Adresi
private final String _Url = "http://"ip&or&domain"/WebService/Service.asmx";
private String _ResultValue = "";
Context context;
EditText _birinci_sayi,_ikinci_sayi;
String a,b;
String TAG = "Response";
String resultString;
Object object=null;
//priv JSONArrayAdapter getListView;
private ListView lv;
ArrayList contactList;
Button _btn_topla;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_web_servis);
// Topla butonumuzu tanımlıyoruz.
_btn_topla=(Button)findViewById(R.id.button);
// Yukarıda tanımladığımız _btn_topla butonuna tıklama olayını tanımlıyoruz.
lv= (ListView)findViewById(R.id.listView);
_btn_topla.setOnClickListener(new View.OnClickListener() {
public void onClick(View v) {
//Hazırladığımız AsyncTask'ımızı çalıştırıyoruz..
AsyncCallWS task = new AsyncCallWS();
task.execute();
}
});
}
// Arkaplanda webservis işlemlerimizi yaptığımız yer.
// AsyncTask sınıfımızdan _WebServiceAsyncTask türetiyoruz..
private class AsyncCallWS extends AsyncTask<Void, Void, Void> {
@Override
protected void onPreExecute() {
Log.i(TAG, "onPreExecute");
}
@Override
protected Void doInBackground(Void... params) {
Log.i(TAG, "doInBackground");
calculate();
HashMap<String, String> contact = new HashMap<>();
showData(resultString);
return null;
}
@Override
protected void onPostExecute(Void result) {
super.onPostExecute(result);
Log.i(TAG, "onPostExecute"+ resultString);
Log.i(TAG, "Step 9");
try {
ListAdapter adapter = new SimpleAdapter(
WebServis.this, contactList,
R.layout.list_order, new String[]{"name", "email",
"adres"}, new int[]{R.id.Name,
R.id.Email, R.id.Adres});
Log.i(TAG, "Step 10");
lv.setAdapter(adapter);
Log.i(TAG, "Step 11");
} catch (Exception e) {
Toast.makeText(getApplicationContext(),"Hata" + e.toString(),Toast.LENGTH_SHORT).show();
e.printStackTrace();
}
}
}
public void calculate() {
String SOAP_ACTION = _Action;
String METHOD_NAME = _MethodName;
String NAMESPACE = _Namspace;
String URL = _Url;
try {
//PropertyInfo propertyInfo=new PropertyInfo();
SoapObject Request = new SoapObject(NAMESPACE, METHOD_NAME);
Request.addProperty("TABLENAME","USER_TBL");
Request.addProperty("COLUMNS","USERID,NAME,PASS,EPOSTA,ADRESS");
Request.addProperty("WHERECRTR","");
Request.addProperty("TOP","");
Request.addProperty("COLUMN","");
SoapSerializationEnvelope soapEnvelope = new SoapSerializationEnvelope(SoapEnvelope.VER11);
soapEnvelope.dotNet = true;
//soapEnvelope.headerOut = security; // this is an Element[] created before
soapEnvelope.setOutputSoapObject(Request);
HttpTransportSE transport = new HttpTransportSE(URL);
transport.debug=true;
transport.call(SOAP_ACTION, soapEnvelope);
SoapPrimitive response = (SoapPrimitive) soapEnvelope.getResponse();
//resultString1 = (SoapPrimitive) soapEnvelope.getResponse();
resultString =response.toString();
Log.i(TAG, "Result Celsius: " + resultString);
} catch (Exception ex) {
// Log.e(TAG, "Error: " + ex.getMessage());
}
}
private void showData(String json) {
String jsonStr = json;
Log.e(TAG, "Response from json: " + jsonStr);
if (jsonStr != null) {
try {
JSONObject jsonObj = new JSONObject(jsonStr);
// Getting JSON Array node
JSONArray contacts = jsonObj.getJSONArray("USER_TBL");
// looping through All Contacts
contactList = new ArrayList<HashMap<String, String>>();
for (int i = 0; i < contacts.length(); i++) {
JSONObject c = contacts.getJSONObject(i);
String id = c.getString("USERID");
String name = c.getString("NAME");
String email = c.getString("EPOSTA");
String address = c.getString("ADRESS");
String pass = c.getString("PASS");
HashMap<String, String> contact = new HashMap<String, String>();
contact.put("id", id);
contact.put("name", name);
contact.put("email", email);
contact.put("adres", address);
contact.put("pass", pass);
//contact.put("mobile", mobile);
// adding contact to contact list
contactList.add(contact);
}
} catch (final JSONException e) {
Log.e(TAG, "Json parsing error: " + e.getMessage());
runOnUiThread(new Runnable() {
@Override
public void run() {
Toast.makeText(getApplicationContext(),
"Json parsing error: " + e.getMessage(),
Toast.LENGTH_LONG)
.show();
}
});
}
} else {
Log.e(TAG, "Couldn't get json from server.");
runOnUiThread(new Runnable() {
@Override
public void run() {
Toast.makeText(getApplicationContext(),
"Couldn't get json from server. Check LogCat for possible errors!",
Toast.LENGTH_LONG)
.show();
}
});
}
}
}
答案 2 :(得分:0)
ASP.net
public string xLxS(string TABLENAME, string COLUMNS, string WHERECRTR, string TOP, string COLUMN)
{
string sonuc = "";
DT = dataclass.SELECTSQL(TABLENAME, COLUMNS,TOP, WHERECRTR, "");
if (DT.Rows.Count == 1)
{
if (COLUMN != "")
{
sonuc = DataTableToJsonObj(DT,TABLENAME);
}
else
{
sonuc = DT.Rows[0][COLUMN].ToString();
}
}
else if(DT.Rows.Count > 1)
{
sonuc = DataTableToJsonObj(DT,TABLENAME);
}
return sonuc.ToString();
}