I have an application that can send HTTP requests (It uses Alamofire to achieve this). The problem I have is that the URL I'm using isn't secure, it is our company API for connected devices.
At the moment the user has to manually visit the API and trust it, then add a random certificate to keychain... Not very elegant.
I've created my own SessionManager : Alamofire.SessionManager and used .disableEvaluation on the URL, it is listed in the info.plist under App Transport Security Settings -> Exception Domains. All correctly formatted to the best of my knowledge. None of it prevents to user having to manually visit the site to trust it.
Anyone got any ideas?
Related
Facebook recently changed the security settings on Account Configs, now there is no more an option to force, or not, an application to use HTTPS protocol.
Therefore, it isn't possible to do a App without a SSL key. Previously we could just don't fill Secure Canvas URL field, and access the canvas app through the HTTP protocol. But now, without the option in the security user config, the facebook app keeps redirecting to the HTTPS protocol.
So, there is some workaround for this ?
As CBroe says, you need SSL.
There are 2 things you need in my opinion:
A webserver with SSL.
IF you're in OSX and you run Apache, this tutorial really helps:
http://blog.andyhunt.info/2011/11/26/apache-ssl-on-max-osx-lion-10-7/, plus you might want to add your certificate as a trusted (root?) certificate, or certificate authority. (I'm not very well versed in this)
The only caveat I found, specially for Chrome, is that when you're generating the Certificate Request File, under Common Name place "localhost" or the host you're using for development. This last caveat should be similar in Windows, since it's a browser requirement that the certificate common name matches the actual host. Browsers like Firefox allows you to permanently trust a certificate, thus avoiding all the certificate installation on the OS and trusting.
A proxy app
proxy-like app to act as a man in the middle and decode the encrypted information, in order to see the actual requests and response being sent and received from the server. There should be other software, but the one I use and love is Charles Proxy, which can do this and tons more.
Hope it helps!
I have a relatively successful app in the app store that allows people to view metrics on their iDevice using a JSON file hosted on the their server. The app has a simple settings screen in which you simply type the URL of your JSON file and the app takes care of visualising the data in the file. I use AFNetworking for this.
For example the URL might be: http://www.mylargecompany.com/factorykpi.json
Customers are now coming back to me and asking for the ability to connect to their servers more securely. Problem is there is a myriad of ways you can secure your server.
I need some advice. What kind of standard security features would I need to build into my app. I am confused by OAuth, HTTPS, etc.
I believe OAuth would mean the customers server would have to use it? Can you make a generic OAuth login screen in an app or do you need to know which web server you are connecting to authenticate.
Any advice on even the most basic of security measure would be very welcome!
Regards,
MonkeyBusiness
Security is really a very broad topic. There is no short answer. In any case, both web service and client app need to implement security mechanisms. I would recommend, you provide both the web service and client app.
You likely need some user login with a password, "server verifies user identity" and "client verifies server identity" using certificates. Then you utilize HTTPS which ensures to transport confident data in a secure way. The web service should be implemented with one of the well known web application frameworks since security is a scary business, and tricky. Implementing everything yourself, might end in a suboptimal insecure application.
You should now read more about the complex topic and come back when you have specific questions.
... most basic would be to use https, which would secure the transaction, but anybody accessing the same link would be able to access the same data. Thus you will need some kind of authentication, starting with a simple secret key passed as POST request, username and password and/or via certificates.
Web Servers have settings by which you request client certificates - for eg. SSLVerifyClient require in Apache, a different setting in IIS etc. If this is set, then the browser throws up a dialog asking you to chose a certificate.
Is it possible to ask for a certificate dynamically? i.e. I am really not interested in 2 way SSL - however, I want to ask the user to register his certificate with my application which will be used in a different context. So I need to let the user chose one of the certs registered in his browser and access the cert in my application. How do I do this?
Is this possible at all?
I have figured out one way to do this - I have a upload link in my application - this points to a Virtual Directory which has Client Side Authentication required property. So when the user clicks on the link - it triggers a SSL Renegotiation. The browser throws a dialog which lets the user chose from the registered certs. Once he chosen the certificate, SSL renegotiation happens and the I can access the cert in the application. The SSL renegotiation ensures that the user has the private key corresponding to the Cert.
If there any problems with this method or if there is a better way to do this, I am most certainly interested in doing it.
Also, I am currently doing this in IIS - but I think something like this should be possible in most other webservers also.
I am developing an iPhone application for my client in which I have to send requests to a Secure SSL Server(Client's server, everything is ready by server side) with certificate authentication.
I am not getting exact procedure, or exact code showing steps to be followed. (i.e Procedure is not clear to me)
If anybody can explain me the mechanism behind it, it will be helpful for me.
Thank you.
You need not to do anything.
Just use proper URL with https://
All the underlying complexity will be handled by NSURLConnection class. It is as same as calling any other network services.
I have an HTTPS WebService that need to be accessed from a Mobile (iPhone) application. both are developed by our-side.
We need to secure the Mobile access to this Service. So we used a username/password credentials.
We are aware of OAuth, but we need a more simple authentication scheme.
What We think of is the following:
The Mobile App shows a Login-form to the User/Resource Owner.
The Resource Owner enter The login credentials on behave of the Mobile App.
The Mobile app connect to the Server at special WS Method (e.g. "ValidateLogin") that takes username/password -probably hashed- as input and returns the HTTP Session Id.
The Mobile app persists this HTTP Session Id -which is a unique key from server side, and may be secure?- to communicate with the Server for subsequent requests (Invoking business methods).
If the Client doesn't communicate with the Server for say 30 Min, the Server will send 403/Session_time_out (The Mobile may remove the persisted HTTP Session Id to indicate to himself that he no longer has access to the Server resources - and It may opt to do so in case if it needs to end the communication with the Server)
In this case, the Mobile will need to use the Resource Owner again to obtain a new session id from the Server and gain access to the Server resources.
The Questions are:
Does the above steps are good enough to depend on?
What do you think from security perspective?
Do you have any other thoughts/opinions?
EDIT: It is a HTTPS WebService
The question is very open in nature, and I believe that it is difficult to answer those general questions with your specific needs in mind.
To answer some concrete questions:
How to secure your app against unauthorized clients?
Look at SSL and Client side certificates.
How to manage user credentials securely?
Look at using the Keychain API in iOS.