TerryB
Reputation: 629
iPhone - Web Access Authentication
I am building a secure app for our exec's... here is my setup. It's a somewhat Macgyver approach, but bear with me :)
- There are only 10 users, I have a record of each uniqueIdentifier on my backend in a database table. (This is internal only for our users, so I don't believe I am breaking the public user registration rule mentioned in the API docs)
- Through adhoc distribution I install my app on all 10 devices
- My app is simply composed of a UIWebView.
- When the app starts it does a POST to our https site sending the uniqueIdentifier. (Thanks to this answer)
- The server page that recieves the POST, checks the uniqueIdentifier and if found sets a session cookie that automatically logs them into the site.
- This way the user doesn't have to enter in their credentials every time.
So what do you think, is there a security hole with this?
Thanks
Upvotes: 0
Views: 787
Answers (1)
Alex Reynolds
Reputation: 96937
Since you are storing all your unique IDs in the application, each of which is a credential that unlocks access, all I need to do is steal one of your employee's phones or otherwise get a copy of the application to look for those keys.
If you need to store credentials on the phone, use the iPhone's Keychain.
Upvotes: 2
Related Questions
- How to do authentication in UIWebView properly?
- Basic HTTP Authentication on iPhone
- Asp.Net Forms Authentication when using iPhone UIWebView
- How to log into a website using iOS
- HttpBasicAuthentication in IPhone
- UIWebView Authentication Example
- HTTP Authentication in iPhone
- How to connect to a website that requires a username and password
- ASP.NET webservice authentication from an iPhone app
- How to authenticate a website user through iphone