Reputation: 10329
ios client <> php backend encryption
This may be somewhat of a faugue description of my question, and I am unsure if this is best to be posted on Stackoverflow or on Super User.
My problem is the following, I am in planning stage of building an quiz ios-app. In some cases it would actually hand out physical prizes monthly, which means security must be tight enough to decrease cheating possibilities. I will build a backend in PHP, on a debian server with Apache and a certified SSL (Rapid-SSL).
My guess is that for every question, it needs to send it back and forth to the server for the server to authenticate the answer, and let the user know if the answer was correct or not. For some cases (the non-price-winning quizzes) I even want to return the correct answer.
My question is, what is the best way of doing this, security wise? Should I encode the data that is being send back and forth, and if so... how and with what (is there some common encoding type which I can use, such as base64 or similar)?
Edit
What I meant was encoding, rather then encryption. I updated the question
Also, for authentication I was thinking of using Facebook OAuth login.
Upvotes: 0
Views: 330
Answers (2)
Reputation: 2558
Let me explain this in detail:
a) If you are afraid of a man in the middle attack or modification of your packet before sending to server (or receiving data from server), SSL would stop them.
b) If you want to stop hackers/debuggers/reversers, if they reverse your code and your code submits for example high score in SSL, they can also submit it easily, like this:
https://yoursite.com/submithighscore.php?score=[SCORE] even you are using https, when hacker revealed the URL, score submission method and HTTP parameters, they can also submit fake results using a simple curl command.
So in this case, you can implement an advanced encryption algorithm, like encrypting data using a known algortihm with some your application specific changes, secure your application from reversing (which is hard a little). It will stop most of hackers/reversers.
If you choose a good key-exchange algorithm and encryption schema, faking it for hackers would be hard, except injecting code or modifying your code. This time you have to take all anti-reversing measures. Even if you use a public-key encryption here without taking anti-reversing measures, hacker could inject a code in your application which will add for example X points to every submission of point, it will not take more than a single assembly instruction.
Anyway, it's hard to have a really really secure system, reversers gone reverse, code-breakers gone try to find out your encryption algorithm and try to break it. But you can also do your best to stop most of hackers.
Upvotes: 1
Reputation: 1706
If you are sending over SSL, the data definitely is already encrypted. Thinking about it, the biggest worry is authentication. Knowing for sure that the user that is submitting a question, is actually that user. For that, I would use simple password authentication. And because everything is over SSL, that should be enough. The biggest worry in that case is malware on the user end.
Upvotes: 1
Related Questions
- Easiest two-way encryption to be used both on a PHP server and on iOS client
- How can I do this same encrypt/decrypt PHP function on iOS with Objective-C?
- Encrypting in PHP, decrypting in IOS
- PHP iOS AES Encryption
- PHP encrypting and objective-c decrypting
- iOS <-> PHP encryption
- encrypt data sent to php web service
- Encrypt Login Credentials in Objective-C and decrypt in PHP
- objective-c encryption. php decryption
- Encryption in iphone and decryption in php