Reputation: 7256
Do I really need to use nonces?
I'm currently developing an app for iOS-devices. This app downloads data from a wordpress blog, but fetches a nonce-token first. This has been tested, and is showing to take about 2~3 seconds, which is a lot, considering it's a mobile device that should have the data ready in a few seconds. In addition to this, the data has to be downloaded as well, which takes another 4~5 seconds.
In the data-fetching-method there are several security-measures taken, for example a secret string that needs to match on both the web-server and device (of course encrypted), and some sort of simple UDID-validation + some header and useragent-tests. Is this enough, or do I really need the nonces? It's not like there is any sensitive data being passed through, and if it was, I'd of course encrypt it further.
Is it really necessary for me to use nonces?
Thank you.
Upvotes: 0
Views: 536
Answers (1)
Reputation: 75058
If you are downloading public data, there's no need for the nonce authentication stuff.
If you are going to be modifying data on the server, or fetching data that is not public or otherwise has some kind of access control around it, then you'll need whatever mechanism Wordpress requires to gain access (which it sounds like is a nonce-based token approach).
If it's taking a few seconds to get that token, how about fetching it on app startup/resume in the background?
Upvotes: 1
Related Questions
- nonce usage in authentication
- Using a nonce as a security solution in PHP
- Small API Security Best Practice
- iOS app security
- iOS + PHP Login Best Practice
- How can I improve this NONCE library for PHP?
- Authenticating on php script from iOS/iphone application
- Securing a PHP REST Service
- Security question for iphone login form
- Protecting external resources required by paid iPhone App