使用ip運行iOS應用程序的Sinatra ruby​​應用程序的安全性如何安全

Question

我正在構建一個iOS應用程序，並且我有一個運行Sinatra應用程序的AWS ec2實例來刷新和交換Spotify SDK訪問令牌，並且我想知道在應用程序本身上擁有諸如http://#someIP:4567之類的URL的任何安全問題。

我知道一個AWS ec2實例，你可以通過使其成爲一個https來獲得它的安全，但是如何以同樣的方式來保護IP（如果我甚至需要這樣做的話）？

這裏是什麼在ruby文件：

require 'sinatra' 
require 'net/http' 
require 'net/https' 
require 'base64' 
require 'encrypted_strings' 
require 'json' 

set :bind, '0.0.0.0' 

CLIENT_ID = ENV['TheClientIDGivenBySpotify'] 
CLIENT_SECRET = ENV['TheClientSecretGivenBySpotify'] 
ENCRYPTION_SECRET = ENV['cFJLyifeUJUBFWdHzVbykfDmPHtLKLGzViHW9aHGmyTLD8hGXC'] 
CLIENT_CALLBACK_URL = ENV['appForSpotify://returnAfterLogin'] 

SPOTIFY_ACCOUNTS_ENDPOINT = URI.parse("https://accounts.spotify.com") 

get '/' do 
"Working"  
end 

post '/swap' do 
    AUTH_HEADER = "Basic " + Base64.strict_encode64(CLIENT_ID + ":" + CLIENT_SECRET) 

    # This call takes a single POST parameter, "code", which 
    # it combines with your client ID, secret and callback 
    # URL to get an OAuth token from the Spotify Auth Service, 
    # which it will pass back to the caller in a JSON payload. 

    auth_code = params[:code] 

    http = Net::HTTP.new(SPOTIFY_ACCOUNTS_ENDPOINT.host, SPOTIFY_ACCOUNTS_ENDPOINT.port) 
    http.use_ssl = true 

    request = Net::HTTP::Post.new("/api/token") 

    request.add_field("Authorization", AUTH_HEADER) 

    request.form_data = { 
     "grant_type" => "authorization_code", 
     "redirect_uri" => CLIENT_CALLBACK_URL, 
     "code" => auth_code 
    } 

    response = http.request(request) 

    # encrypt the refresh token before forwarding to the client 
    if response.code.to_i == 200 
     token_data = JSON.parse(response.body) 
     refresh_token = token_data["refresh_token"] 
     encrypted_token = refresh_token.encrypt(:symmetric, :password => ENCRYPTION_SECRET) 
     token_data["refresh_token"] = encrypted_token 
     response.body = JSON.dump(token_data) 
    end 

    status response.code.to_i 
    return response.body 
end 

post '/refresh' do 
    AUTH_HEADER = "Basic " + Base64.strict_encode64(CLIENT_ID + ":" + CLIENT_SECRET) 

    # Request a new access token using the POST:ed refresh token 

    http = Net::HTTP.new(SPOTIFY_ACCOUNTS_ENDPOINT.host, SPOTIFY_ACCOUNTS_ENDPOINT.port) 
    http.use_ssl = true 

    request = Net::HTTP::Post.new("/api/token") 

    request.add_field("Authorization", AUTH_HEADER) 

    encrypted_token = params[:refresh_token] 
    refresh_token = encrypted_token.decrypt(:symmetric, :password => ENCRYPTION_SECRET) 

    request.form_data = { 
     "grant_type" => "refresh_token", 
     "refresh_token" => refresh_token 
    } 

    response = http.request(request) 

    status response.code.to_i 
    return response.body 

end 

在Xcode我會後到http://#someIP:4567/swap或http://#someIP:4567/refresh

這是安全的呢？ 我是否正確處理？ 通過將請求發送給任何人都可以訪問的IP，我是否正在將自己和其他使用該應用程序的人置於有被盜或被查看信息的危險之中？

Answer 1

HTTPS僅適用於域名。不適用於IP。如果您只使用IP，那麼您將面臨MITM攻擊，並且您的所有數據都是純文本。任何人都可以竊聽你的請求。交換請求中有一個代碼參數，我猜代碼是憑證正確的？如果是，最好抓住一些域名並使用aws route53進行設置。然後購買一些便宜的SSL證書將其與域相關聯。然後在iOS端，啓用HTTPS而不是HTTP與您的服務器進行通信。這與您的Sinatra應用程序無關。

要了解更多關於SSL/HTTPS，你可以看看這樣的一些初學者教程：http://www.hongkiat.com/blog/ssl-certs-guide/