I'm trying to verify that HTTP requests from iOS application were really sent from mobile application. Currently server code just checking 'User-Agent' HTTP header and of course it's not very reliable solution.
Here is how I see current iOS SDK can be used to verify that client is an actual iPhone user.
Push notifications
iOS app requests push token from the operating system and sends it to server
Server sends push notification to application with hidden identifier
iOS app sends received identifier to server
Server responds with cookie
Here on the first stages of communication we can verify that user is mobile user because how else she got identifier from push notification to specific app.
dis. Not quite reliable even if we can repeat push notification. Misuse of push notifications.
In-App purchase
It is possible to reuse receipt verification here.
dis. Obvious misuse. Confusing.
So the question is – are there any proper ways to confirm that request was sent from iOS application, from iOS device ?
iOS11 introduces new API https://developer.apple.com/documentation/devicecheck#overview
It looks like it solves the problem.
Related
I’m looking at the designing and developing a service for Push notifications, and am trying to understand the order of processing in the Apple App when it comes to Registering for Push Notifications and storage of the Token.
What I’m developing currently is a service that allows subscription to individual changes that happen to particular processing on our server.
When they happen, the phone user may receive a message of type “A”, “B”, or “C”.
The phone user has to “subscribe” to each of these types individually if they want them. Otherwise they can ignore it and not subscribe.
So User Fred, on Phone #4, starts our App, logs in, and then has the ability to turn on or off subscriptions to events that are sent as Push Notifications.
So I need to tie details from Fred’s login, to Phone #4’s device Token, with particular subscriptions.
So my particularly important questions are.
When the Phone connects to the APNS server to get its device token, is this automatic on app start? Or can this be initiated at a later step? Ie, after going through a loging screen on our app.
Can we (are we allowed to) store the device token on the phone in the App's data store?. Or, should the App be connecting to the APNS server every time the app is run?
How does the App know if it as already called the APNS server and retrieved a token, or as above, should it call the APNS server time the app is run?
Can we (are we allowed to) store the token in the App’s memory as it runs, so we can properly subscribe and unsubscribe for particular messages?
We need also to be able to list all the subscriptions that a particular user may have across all their devices so the user can remove old devices (if they change phones). Or can we rely upon data back from calls to the APNS – when we attempt to push a notification - to inform us that a device token is no longer valid?
Or is there some better way of tying this all together?
When the Phone connects to the APNS server to get its device token, is
this automatic on app start? Or can this be initiated at a later step?
Ie, after logging into our app.
After the app has started, the app gets the token by calling registerForRemoteNotificationTypes. This will prompt the user for permission, and call a callback with the device token if permission is granted.
Can we (are we allowed to) store the device token on the phone in the
Apps data store?. Or, should the App be connecting to the APNS server
every time the app is run?
You'll need to build an APN provider, which is a web server that calls apple to send the pushes. The thing to do with the token is post it to your server that uses the APN provider. The app doesn't connect to APNS, your provider does, and it does it when it has pushes to send.
Can we (are we allowed to) store the token in the App’s memory as it
runs, so we can properly subscribe and unsubscribe for particular
messages?
You can keep the token on the client, but you don't really need to. It's your web service that calls APN, so it needs to be kept aware of your users' subscription prefs.
We need also to be able to list all the subscriptions that a
particular user may have across all their devices so the user can
remove old devices (if they change phones). Or can we rely upon data
back from calls to the APNS – when we attempt to push a notification -
to inform us that a device token is no longer valid?
APN also provides a feedback service that you call in batch which returns the device tokens that are no longer valid. Not only can you use this service, but you must. Apple will get mad at apps that repeatedly send to no longer valid devices.
Or is there some better way of tying this all together?
Yes! Parse.com provides a nice wrapper on the client code, does the provider and feedback service, abstracts the idea of single devices to the idea of a "channel" which sounds like just what you need for multiple notification types A, B, C, provides a super-easy step by step setup, and loads of other useful cloud services for iOS. (I'm not affiliated, but a big fan).
My application is in Appstore now and ı cant find out device tokens.is it possible to send push notification without device token
Simple answer: No, sorry.
Longer answer: No, you'll need to submit a new binary which collects the device tokens and submits them to your server.
You really should have sorted all of this out during testing with the sandbox before releasing to the AppStore!
The device will send your server a token to indicate that it wants to receive notifications. It is up to your server to store these tokens and send the appropriate messages to the devices as and when required.
Your server should also respond to people requesting to not have notifications any further and also for tokens that have become "inactive".
In my app, for first time push notification registration, I call didRegisterForRemoteNotificationsWithDeviceToken and save the device token in persistence as well as update my server list for device token. Now afterwards if somebody turns the push notification settings off from iPhone Settings how can I determine it from my app so that I can remove the device token from server as well. I know APNS provides a feedback list, but other than that is there a way to determine it in App programmatically? Thanks for any help!
I believe you do not want to manage tokens this way.
Your app should always be asking Apple for an APNs token. You should always then send that token to your own server, likely associating the token with your user (if you have one). You do this because the token could change, so you want to make sure you always have up-to-date tokens.
The Feedback service will tell you (actually, you poll it at some interval of your choosing) which tokens have become invalid. At this point, you remove the tokens from your server-side database. To be clear, you need a server-side process that polls Apple's feedback service and then updates your server-side database.
You will not receive feedback about invalid tokens until you try to send a notification using the token. The notification will (I believe) be accepted by Apple when you send it, but when Apple discovers it's for an invalid token, the message is dropped, and the token is added to your feedback.
Now, if the user of your app accepts push notifications when your app first asks about it, but later turns off notifications via the Settings app for your app, you will not get any feedback about it. What happens, near as I can tell, is that any notification you send to that device will be sent to the device, but the OS drops it, honoring the user's ultimate choice in the Settings app for your app and notifications.
Finally, there is an API you can call in your app to get a bitmask of which kinds of notifications are enabled for your app on the device. Here's a method I wrote for this purpose; adjust as needed:
+(BOOL)acceptsPushNotifications
{
UIRemoteNotificationType mask = [[UIApplication sharedApplication] enabledRemoteNotificationTypes];
return (mask & UIRemoteNotificationTypeAlert) == UIRemoteNotificationTypeAlert;
}
But I would not recommend using this to decide if you app should tell your server to delete the token from your database. That's not how the whole APNs system is intended to work... I believe.
I want to ask you guys
How device receives push notification?
Is our device continuously connected to apple's server?
Many Thanks,
Nav
Device does not remain connected. In fact the app might not even be running any more.
The mechanism is as follows:
Your application has to register for notifications.
When it registers you get a token, which you send to your server.
When you wish to send a push notification, your server connects to Apple server and sends a message to the previously registered token.
Simple :)
For more details see:
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9
How reliable do you find push notification on the iPhone to be? Does it improve when moving from the sandbox to production server?
I am testing (with the sandbox of course) and have found that notifications are often delayed or not received at all. I am not talking about sending multiple messages and only the last one arriving, as the documentation indicates, but any notification never showing up.
Also, I noticed that if I send a notification with an alert, and then send one with just a badge number, that the second notification will close the alert even after it's already opened. Does this happen between apps as well? For instance, if I send an alert for my app, and then the Facebook app sends a badge, will the Facebook badge close my alert window?
I have no development experience with iPhone apps, but I do know that if you have an unofficial unlocked phone (by using pwnage tool/blackrain etc) then the PUSH notifications might NEVER go through. In fact, it does go through, but to another user's iPhone.
This is because when an iPhone is unofficially network unlocked, it uses the Unique ID of some random individual's iPhone, which causes Push notifications to arrive on either phone (and yes, sometimes also on the unlocked phone it was intended for, but usually not)
Not sure if this is the case with you though, but AFAIK the service is pretty reliable if you follow Apple's rules. :)
The push notification seams better on production. You can always test it using ad-hoc distrbution which uses the production chanel to send the notifications.
I can confirm that production push notifications using
Production Push Notification Certificate
Adhoc Distribution Mobile Provisioning
TestFlight deployment
Production APNS server
works well, no need to publish your app to test production notifications
Production push notifications are not always received. If notifications are machine gunned 1 second apart the first one is received and the rest are not sent, thats my experience.
Where as on a windows phone, they are all received using the windows notification service.