I want to make calls to the Amazon S3 rest API through an iPhone app. It means that I will have to write in my iPhone app the secretAccessKey and the accessKey of the Amazon S3 service.
If my app goes on the appstore, is it going to be dangerous for me? Maybe some people will extract my secretKey and my key to use it for other purposes?
Is there a way to protect my app from this kind of attacks?
Thanks!
Martin
If possible you shouldn't store your keys in your app.
You can see a lengthy discussion of the topic here: Architectural and design question about uploading photos from iPhone app and S3 (check out Adrian Petrescu's answer).
There are a couple of options here. First, upload your data to a central server and then onto S3. Your keys stay private on your server. Or you can look at presigning your URLs.
Related
I can't seem to find any documentation on how to access Google Cloud Storage using a service account from iOS. The iOS application writes images to Rails and I've used a service account with the ruby apis to save the image to Google Storage. I'm trying to read those images from iOS but it seems like the ability is not there and I'm not sure why. The only way I can make it work is to use an API key and set the predefinedAcl to 'publicRead'. This means my application's images are open to the internet.
What am I missing? Is there a reason this functionality isn't there in the iOS library? Any plans in the future?
Thanks
I think you are heavily compromising your security while following a really bad practice. Here's are two strategies on how to fix it:
When you save your images to Google Storage, you should create a signed URL for the same and use that as end point for clients/app. OR
Save original Google Storage URLs to user's account, inaccessible via user api, and during runtime when a request for image is received, generate a short duration based signed URL.
Service key based approach is really faulty as first you are giving away your project credentials and moreover you can never even expire those keys since they might be used in one of many end devices.
First of all, i'm new to Objective-C, so please be patient with me.
I want to add to my application users account management, users can register/log-in into a personal account that will synchronized with database on the internet. I dont have a clue how to do that. I know how to work with sqlite3. I was thinking maybe to create an sqlite3 database on the device. is it possible to store images into sqlite3 database? is it the best and efficient way to manage users on application?
what does sign in with Facebook or Twitter do? is it possible to add them both and another option for someone who doesn't have Facebook or Twitter?
What is the best way to handle account registration and login on iPhone?
Thanks alot!
I want to add to my application users account management, users can register/log-in into a personal account that will synchronized with database on the internet.
AFNetworking or ASIHTTPRequest can help you with this. create a web service api, maybe in php + mysql or any web scripting language you prefer, from the device you can POST your data like username and password and do the logic in your web service.
I was thinking maybe to create an sqlite3 database on the device. is it possible to store images into sqlite3 database?
what is your plan here? why would you create a database on the device? do you want to manage the users locally? if yes, that would be easier and more efficient because you dont need internet connection to create a request to server. and yes its possible to store images in sqlite by storing the image as blob
what does sign in with Facebook or Twitter do? is it possible to add them both and another option for someone who doesn't have Facebook or Twitter?
Yes its possible. you can have three log in options. facebook, twitter, and your custom log in option. if you want to integrate facebook and twitter on your app. there are many tutorial and docs you can find there.
I suggest: this for facebook and download the sample app
What is the best way to handle account registration and login on iPhone?
it depends on your app requirement, if you dont need to store your user data in a database on a cloud server, the best way is to create a local database on device.
This is a broad question - so the answer is going to be very general, little of which has to do with Objective-C, iOS, or Mac specifically.
It sounds like you are creating an application on a mobile device that needs to synchronize data with a database for which the mobile app is a client. One way of managing this is to start with table of users and credentials on your server, e.g. in MySQL. Then you need to write the API on the server side, e.g. in PHP, Rails, Python, etc. Then you will write the web service code on the device that interacts with the server's API.
If you are new to developing on iOS, then I would suggest running through some tutorials on consuming web services, first. That is, I would learn how to connect to pre-existing web services first. You might want to check out the AFNetworking library for Mac and iOS. It has some demo applications. But if you want to stick with the native URL loading system on iOS, there are numerous tutorials available. (Here's one)
I should mention another option is to use Amazon Web Services SimpleDB. There is an iOS SDK. It allows you to execute queries directly against the db without writing the server-side code.
You mentioned sqlite3. This will allow you to manage data on the device; but you state that you want to sync data with some resource on the internet. You can store images in sqlite3; but you can save yourself a lot of hassle by looking into Core Data as an alternative.
I'm able to upload files from iPhone using ASIHTTPRequest wrapper for an application which allows simple storage to my account. The question i'm concerned about is, could distributing the access keys along with the application be a good idea? what is the best way to deal with it in terms of security? are the keys i use sniffable via monitors over https? any suggestions over it will be appreciated.
I upload files to a server (using ASIHTTPRequest) and then from the server to an AWS account for this very reason. I can control the security on the server much easier than I can on devices. Plus, if I need to change the keys I can do it on the server very quickly.
This will add another layer to your application but I think it's well worth it.
You can also check out this post Architectural and design question about uploading photos from iPhone app and S3
I'd like to do OAuth for Twitter from an iPhone app. But doing so implies that I need to have my API secret alongside my API key baked into the application binary. This is obviously undesirable.
Facebook supports the notion of a session proxy to get around the parallel issue with their API.
Can I do something like this for Twitter?
Short answer: No.
OAuth was created for and works really well for web applications. It's a square peg in a round hole for native applications. Specification 1.0a was supposed to make it more viable for native applications, but it does little to help.
As you pointed out, one of the main problems with it is that the consumer keys have to be stored in the application. Not a problem for web applications where access to the source is limited, but a big problem for native applications.
The other major problem has to do with it providing no additional security over standard login forms for native applications, but I won't get into that.
But since Twitter is forcing it on you if you want access to higher rate limits and your application name associated with Tweets, you have little choice.
The only way to avoid having the consumer key in your application code is to proxy all requests through your own server.
Some put the key into a settings-type file that the application will read. Others store the key in a database file local to the app. Others store the key on their own server and the native app connects to the server to get the key and secret.
I would like to enable my iPhone app's data to sync with Google docs. How can this be done? What other sync'ing options do I have (another one I am aware of is EverNote Sync Server)?
try nutdb app for iphone. nutdb will sync every nutdb database with google docs hosted spreadsheet.
It is hard to give a specific answer without more detail, but Google does provide an API that allows some manipulation of document data. The httpriot library is a handy way to simplify access to REST structured web services like this.