How can I check details of a webservice request from an iphone application.?

Question

I am working on an iphone app which consumes lots of webservices and requests data from them as well. All my webservice links are "http://ipaddress/webservice". I am just concerned with the security side of my app and wondering

1) how easy is it to see the requests going from an iphone app to the server and the data related to it.

2) Also if I can actually view the body of my post request in some intercepting tool like fiddler .Is there a way I can make my data not to be recorded by fiddler.

3) Lastly,How can I check on the server side if its an iphone thats trying to access my webservice or its some other source like a web browser or Android phone.

Thanks

Answer 1

It's trivial to sniff http(s) traffic. There is a tool out called mitmproxy that can even decrypt SSL traffic. Anything you send out over WiFi can be intercepted and recorded by anyone who happens to be listening for it.

My advice would be to not send usernames and passwords as part of the URL, ie mysite.com/auth?user&pass=12345 and to use SSL.

If you encode a special user-agent string in your header you could identify clients that way.

Answer 2

1: Farily easy. You could encrypt your data with a unique key, and decrypt it in the application. You also might wanna use SSL?

2: Not sure.

3: You could use User Agent but that can be modified but its one solution - but if you use encryption that wont matter anyway. Because the result is unreadable.

Edit, look in the link below as well. Xcode: hide / protect resource files in final iOS app?