CODEWITHSUNDEEP
iosswiftfacebook
Dave
Dave

Reputation: 425

How to throw facebook token to own server securely?

I'm developing iOS app(Swift) using 3rd party(facebook) authentication. I encountered a question which is how I can throw the access token from facebook to my own server.

I've been writing something like below..

Alamofire.request(.POST, "https://example.com/user/fb", access_token: facebook_access_token)

but I'm not sure this is safe enough. Not only that, when I implement email/password login as well, I've been writing something like below..

var user = [email: "[email protected]", pass: "password"]
Alamofire.request(.POST, "https://example.com/user/", user: user)

Are those safe enough? Or if there're best practices please let me know. Thanks!

Upvotes: 4

Views: 64

Answers (2)

Ruchira Randana
Ruchira Randana

Reputation: 4179

Sending your credentials via SSL prevents others from reading the values in the middle. So, it's theoretically secure. ie: It goes through the security provided by the transport layer.

However, it's not the recommended approach to send plaintext passwords to the server. The correct way is to hash the password at each client, then send the hash value to the server. At the server, you should compare whether the hashes match. You might need to do some changes to your server logic. But, in the long run, it should be worth.

Upvotes: 1

Rjk
Rjk

Reputation: 1474

I assume you are asking whether its safe to send it over the network. If you are using SSL encrypted URL and pinning the SSL to your app then yes it is. Here is blog post explaining how to do SSL pinning on IOS

https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/

Upvotes: 0

Related Questions