I have an app that connects to an inhouse gameserver. I want to wrap the traffic in SSL to prevent hackers from sniffing the passwords and what not. Anyways, how do I go about doing that with an iphone app? I'm using CFNetwork to communicate to the server, and everything is in our own inhouse protocol instead of using http or something like that.
Thanks
You will need to set the appropriate CFStream properties prior to opening the streams. You do so by first preparing a dictionary using the appropriate kCFStreamSSL* keys and corresponding values and then calling CFWriteStreamSetProperty() to set that dictionary as the kCFStreamPropertySSLSettings property. The property should be shared between both streams in the connection pair.
If your server attempts to negotiate an SSL connection, I believe the streams will cooperate in the negotiation by default. You might have less work to do than you think.
Related
I'm trying to get into an implementation of some kind of push notification for a Windows WPF client application and a java backed server.
The idea is to avoid as much as possible polling the server, so I thought to implement it with sockets and messages, and relying in some easy pulling solution in case a socket connection could not be done, (Firewalls, etc).
In the other hand is important that the data traveling get encrypted.
So I have a couple of question/"request for opinions" more related with the WPF client:
Perhaps already exist some solution for that, any tips?
Could be good to think in some SSL sockets connections for that?
If 2 is OK, there is some native solution for secure sockets in .net or any library?
If sockets solutions is an option, I guess i need to go through port 443 and by the way it will avoid many problems with firewalls and so on, am i right?
I know there is many question but all are related to the same problem.
Thanks in advance.
http://clientengine.codeplex.com/
Yes, SSL is good if you need to keep the data secure during transfer
Yes, http://clientengine.codeplex.com/ indicates it supports SSL/TLS
Well, it depends on whether you are controlling the server or not. If you have control over it you can use whatever port you want.
A client asked me to do a back-end server for its iPhone application and want only users who bought the application to be able to call the server.
The problem is that he doesn't want to add a login system to the application, so that it seems to me there is no completely safe way to prevent someone without his application calls the server.
In any case, even if it can not be completely prevented, it would be sufficient to make it difficult to access servers without the application.
What is the best way to achieve this? Again, I do not need to fully protect the connection, there is no transit of sensitive information, I just want to make things a little more complicated for people who want to take advantage of server without paying the application.
The idea that seems most simple is to encrypt the data with a key stored within the client and known to the server, so that the message can be decrypted only decompiling the code and finding the key (of course instead of a key you could put a list of keys, which change every 6/12/24 hours).
Could this be a reasonable solution?
This will never be possible. Welcome to the nature of the client-server architecture. You can never trust the client. Just make sure the functionality you are exposing is safe.
well if its a paid app you could release the app for free with all the functionally locked down until a user does a in app purchase and then you could verify the receipt on your server therefore proving that the device is a iOS Device?
sharing a key between the client and the server seems to be a good way to go. But instead of depending on the stored keys only, try combining them with a Unique identifier, such as UUID and send it to server both with the combined key, and the UUID itself.
At that point users UUID will be his identifier (username) and the combined key will be his token (password). And this will be a login-like mechanism.
An SSL connection is not enought to prevent other people from getting the URL for the requests? Or even better using an SSL connection with a basic auth?
In an IPhone app, I want to create a connection, have the user log in to a webservice once, and then have all subsequent requests by multiple threads reuse the authorized connection. What is the best way to implement this in iOS?
FYI: I have implemented this previously in an Android app by using Apache HTTPClient with a threadSafeConnectionManager whereby whenever you need a connection, you ask the shared httpClient for one and it dispatches one from the pool it maintains; all connections retain the same authentication credentials. I am looking for the comparable way to do this in an IPhone app.
I don't know of any built in mechanism for this, but you could fork ASIHttpRequest and bend it to your will. It shouldn't take much effort to refactor the authentication part from a shared location, but your concept of reusing the TCP socket may take a bit of work. There probably isn't a way of doing it with NSURLRequest, but since ASIHttpRequest uses the core foundation methods, that is not an issue.
I have an iphone app that retrieves and send data to a server that uses python.
What measures could i take in order to prevent security risks?
I an not handling extremely sensitive data but i wouldn't want people sniffing the contents.
Is using SSL enough to prevent most risks?
Thanks
SSL should be sufficient. It's also a good idea to store the user's password (if you need one to login) inside the Keychain. Btw, don't send anything to the server in a QueryString, always do it with a post, otherwise the SSL won't do much to help you.
If you don't have super-sensitive data, you can also use HMAC messages in order to query your server. I've done this with several projects before.
The message sent to the server may be a little more heavy-weight but is a viable option if you don't want to go with getting a SSL certificate.
I'm writing an iPhone application that needs to send small bits of information (two strings of under 128 characters each, at a time, and this doesn't happen too frequently) to a server when users interact with it. I would like this information to remain confidential, so I'm thinking of some sort of encryption or secure connection would be necessary.
My question is about the server side of things. The server the iPhone app has to communicate with is written in django and is running on lighttpd. What is the most appropriate way (or what is a standard way) of doing this. I was thinking https, which I know on the iPhone I can use ASIHTTPRequest to do a POST request, but I don't know what it requires on the server side. Do I need a certificate? How does the data get encrypted/secured? Are there any django modules to help with this? Do I have to do something to configure lighttpd?
Would something like xml-rpc or json-rpc be simpler? Is it possible to secure such communication? At what level would that occur?
Any help would be much appreciated.
Using xml-rpc or json-rpc are only means to encapsulate your data into a form that is easy to transport. Your iPhone app can transform the Objective C data using one of those formats and your Django server app can transform the data back into Python objects.
Neither of these have anything to do with security.
Creating an HTTPS (SSL) connection encrypts all communication between the client (iPhone) and the server (Django). You will need to get a certificate for the server side. This indicates to the client that the server is who it claims to be. Your next line of research down this path should be about how to configure lighttpd to handle SSL traffic. Once lighttpd negotiates the SSL communication, your Django app will operate as it does for non-secured traffic.
This is your best choice.
If, for whatever reason, you don't want to use SSL, then you could find strong encryption libraries for both ends of the communication. The iPhone app could encrypt the data, send it over an HTTP connection and the Django app could decrypt it. For example, the pycrypto Python library implements strong encryption ciphers such as AES and Blowfish. You might be able to find an implementation of one of these ciphers written in Objective C.
Did you notice that this is getting increasingly complex?
Go with SSL. It's the way security is done for HTTP-based communication.
Hmm it looks like this might be what you're after, have you seen it?
Setting up SSL for Lighttpd/Django
If I read that right, that setup allows your server to answer https and http requests (?)
Then if your whole app isn't going to be https there's this SSL Middleware to help configure some paths as ssl and some not.
If you use https (SSL) on the server side it shouldn't matter if you use XML-RPC or JSON-RPC. All the data you transfer will be encrypted and secure.
I can only speak from our Rails application and nginx. I bought a SSL certificate from GoDaddy (very cheap) and nginx is setup to encrypt the content (Rails is not doing this itself) on the fly when it sends it out. On the iPhone ASIHTTPRequest will be responsible to decrypt the data. All other layers shouldn't be concerned about the encryption, you can send anything you want.
You might also be able to use a self-signed certificate. We decided to use GoDaddy as we also use the SSL certificate for regular browsers, and those show a warning message to the user if they encounter a self-signed certificate, which obviously scares people away.