Geek Answers Handbook

Server-backed iPhone app - how do I provide all access to an iPhone app only?

I don't mind so many pirated ones, etc., but I want to make sure that the backend (Rails based) is not open to automated services that can use DOS, etc. Therefore, I would just like to ensure that all access to the backend (which will be several REST requests for GET and PUT data) is through a valid iPhone application, and not some script running on the machine.

I want to avoid using accounts so that the user interface is seamless.

My first intention is to hash the UDID and secret together, and provide this (and UDID) over an HTTPS connection to the server. This will either create an authenticated session or return an error.

If it is being tapped, an attacker can take the hash and play it, leaving this scheme open for repeated attacks. However, should an HTTPS connection protect me from eavesdropping?

Thank!

+5
source share
3 answers

As with bpapa, it can be tampered with, but as you say, you don’t worry about it, as someone goes and just sends a thousand requests to your server in a row, and each server has to process it.

- . . 1 , , . .

- nonce. nonce , -, . . , , .

+6

SSL . , - , .

Rails, , . SSL - , iPhone, , , .

HMAC, HMAC-SHA1, -, . nonces, . , HMAC-SHA1 nonces, OAuth ( , , nonce ).

+3

, .

If you really want to go this route (to be honest, if you are not doing something really super-critical here, you are probably wasting your time), you can go through the token of the iPhone device. Or maybe hash it, and then pass it. Of course, you do not have the opportunity to test it on the server side or something else, but if the bad guy really wants to shoot you down, here is the first block where he will have to deal with the first.

+2
source

More articles:


All Articles