Secure https encryption for iPhone app to webpage

by

There is no absolute way to achieve this goal. If you have a web service that uses a shared credential (one bundled in the application), then it will be possible to reverse engineer that credential. Ultimately it is impossible to ensure that a client running on another machine is “your” client.

There have been many discussions of this. It is not hopeless, only impossible to solve 100% (or even 90%). A simple shared secret over SSL will stop the majority of your attackers without harming your users or costing a lot to develop. It is obfuscation, not security, but cheap and “mostly effective” is much better than expensive and “mostly effective.”

If you have a very high-value product, then it may warrant more aggressive (expensive) solutions. All of these solutions include one of two things:

  • Authenticating the user rather than the program, or
  • Continual vigilance, watching for new attacks and responding with fixes that patch them.

The latter is very expensive and never ends. Make sure it’s worth it.

Some other useful discussions:

EDIT I wanted to point out one thing about my mention of “shared secret over SSL.” Remember that if you don’t verify the certificate, you are subject to very easy man-in-the-middle attacks. Readily available proxies like Charles can do this. The best approach is to make sure that the SSL certificate being returned is signed by your root certificate, not just “any trusted certificate.” You can reconfigure which certificates are trusted by your application with SecTrustSetAnchorCertificates(). iOS5:PTL covers this technique in Chapter 11 (page 221). I’ve also wrapped this into a library called RNPinnedCertValidator.

Another good layer is to implement a challenge-response system where the server authenticates that the client has the shared secret without ever putting it on the wire. The Wikipedia article on Challenge-resonse authentication includes a good explanation of the algorithm.

More Related Contents:

  1. Facebook access token server-side validation for iPhone app
  2. HTTPS with NSURLConnection – NSURLErrorServerCertificateUntrusted
  3. Cannot view Quicktime movies over HTTPS in Safari or UIWebView
  4. How to dismiss keyboard for UITextView with return key?
  5. Locking the Fields in MFMailComposeViewController
  6. How to build a framework or library for other developers, the secure way? [closed]
  7. library not found for -lPods
  8. Preserve HTML font-size when iPhone orientation changes from portrait to landscape
  9. Apple PNS (push notification services) sample code
  10. UIImagePickerController doesn’t fill screen
  11. NSDate is not returning my local Time zone /default time zone of device
  12. iPhone UITableView – Delete Button
  13. Round corners on UITableView
  14. Is there a way of adjusting the screen brightness programmatically?
  15. Preventing a UITabBar from applying a gradient to its icon images
  16. Objective-C : How to fetch the router address?
  17. iOS save photo in an app specific album
  18. iOS 5 Best Practice (Release/retain?)
  19. get NSDate today, yesterday, this Week, last Week, this Month, last Month… variables
  20. MFMailComposeViewController image orientation
  21. Call the official *Settings* app from my app on iPhone
  22. AVPlayer And Local Files
  23. How to: Save order of tabs when customizing tabs in UITabBarController
  24. How to change truncate characters in UILabel?
  25. Exception Types in iOS crash logs
  26. how to properly use insertRowsAtIndexPaths?
  27. iPhone NSDateFormatter Timezone Conversion
  28. How do you explicitly animate a CALayer’s backgroundColor?
  29. Force UIImagePickerController to take photo in portrait orientation/dimensions iOS
  30. Register UncaughtExceptionHandler in Objective C using NSSetUncaughtExceptionHandler

Leave a Comment