WeChat applets are not native applications, so many solutions based on underlying authentication cannot be used. Because the applet is essentially a simplified version of the browser. Although WeChat can be regarded as the bottom layer of Mini Programs, its functions are limited by some APIs currently provided by WeChat.
Because the package generated by the compilation of the applet can be intercepted, and the logic implementation can be viewed through decompilation and other means, it can be considered that it is not meaningful to write a large amount of encryption logic inside the applet. In addition, the communication development method of small programs is generally based on the http protocol, which can be viewed through man-in-the-middle attacks. Therefore, it is still difficult to avoid being attacked in the case of ordinary development, or when there is not much benefit Has not been attacked yet. . .
Combined with some APIs and development solutions currently provided by WeChat, according to my own experience, there are three ways to ensure the secure communication of WeChat applets. Of course, the communication security of WeChat itself is considered first.
WeChat login code scheme
WeChat login document address , wx.login can get a code. In the login document , it is described that the temporary login credential code can only be used once .
First of all, this code is obtained through the WeChat API, and its validity needs to be verified by decrypting the AppId and AppSecret of the applet in the background of WeChat, so that it is difficult for us to forge this thing. In this way, we can verify that the current request must have been sent through the WeChat applet.
WeChat encryption and decryption scheme
WeChat has added an encrypted API, document address , through which we can obtain an encrypted key, after the applet obtains the key through the API, the server can also obtain the same key through the WeChat background, document The address and key are not transmitted through the applet, and the key is valid for 2 hours, which avoids the problem of key leakage. In this way, the applet is encrypted by an encryption algorithm and then transmitted to the server to complete the encrypted communication, and the fact that the server can decrypt it ensures that the request is sent through the applet. Basically, this solution can meet most of the needs.
WeChat cloud development plan
The cloud development solution mainly promoted by WeChat applet development is indeed good. Its communication is encrypted through WeChat internally, so it should be impossible to obtain it from the packet capture situation. Tried cloud function, cloud storage, and cloud database solutions developed by the cloud, all of which are secure in communication, and the communication content cannot be obtained from the outside. The server can obtain the stored information and data through the interface provided by the WeChat service.
If you develop from 0, this solution is still good, and it is actually feasible to integrate it into the existing solution, that is, there is a fixed package fee consumption every month, and the cloud development environment of the applet is closely related to the development account of Tencent Cloud. The head is big.
Generally speaking, developers still prefer the second option, and the cost of service maintenance is relatively small.