Reputation: 191
Send post data securely from iPhone
I have the following issue: I've understood how to create a secure login between an iPhone app and a WebServer (SSL,Https). My question is after creating the session token, how do I make sure that if a hacker intercepts it, in the subsequent POST requests I receive data from the same user?
I ask this because I would have to send the session token each time a request is made right? (to be able to identify the user).
I want to prevent multiple things:
- Session hijacking where someone would sniff the users token and send data instead of him (like a highscore or something)
- Data injection using data that would not be normally sent from my app like a 1.000.000.000 highscore (possible score but not easily attainable).
I have been looking at:
- UDID
- User Agent (if it's not from the app name of my app it's not good, the hacker would actually have to guess I do this check or download my php files somehow right?)
- The app is from the AppStore. If the request comes from an app that hasn't been approved by Apple it's not ok. I'm not actually sure if you can test this or not. If this works a hacker would have to actually submit an AppStore and download it to insert faulty data into my database which I hope nobody has time for.
- The MAC address. Not sure if allowed by Apple. The IP doesn't work because a valid user might change IP's.
Cookies from what I've seen can be easily traced and see what data is inside them.
Maybe I'm not asking the right question here so it could actually be how can I make sure the data I receive is from the correct user and the correct application?
Upvotes: 2
Views: 175
Answers (1)
Reputation: 163
The purpose of SSL around your POST requests is to prevent interception by a third-party in transit. If a hacker can get to it, it means the token was either leaked on the client (rooted device), server (insecure application logging/debugging) or they broke SSL. (unlikely)
You could perform some advanced checking by capturing device UDID (apple doesn't like this) or comparing to source IP, but it is going to be a lot of effort for questionable security improvement.
Just ensure everything sensitive is in SSL and you should be ok.
Upvotes: 1
Related Questions
- POST Request from iOS (AJAX, https)
- Sending POST data from iphone over SSL HTTPS
- Security of Objective C Post Method (iOS) over HTTPS
- Secure request from iPhone to Server
- HTTP POST request - sending username and password to the server
- Implement HTTP POST method in iphone app
- How to post data from iPhone to a web server using POST?
- How to secure HTTP Post services called from an iPhone app?
- How to exchange data with an webserver the secure way?
- secure iPhone to server communication so that only my app can post data?