Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure is it to call "secret" URLs in an iOS app?

We want to use a web service in our app which obviously requires to call a URL. It's not HTTPS, just plain old HTTP, using NSURLConnection.

The problem is: This web service is VERY expensive and every thousand calls costs us real money. The fear is that someone could figure out which URL we call and then misuse that, letting the costs explode. There is no way for us to track if a call to that web service was legitimate.

We're calculating based on how many apps we sell, multiplied by an assumption of how often that app will be used per user in average. We have some good statistics on which we base our assumptions.

Are there known ways of figuring out which URL an app is calling on the Internet to retrieve information?

like image 812
dontWatchMyProfile Avatar asked Dec 08 '11 14:12

dontWatchMyProfile


People also ask

Is iPhone Internet traffic encrypted?

With watchOS, iOS, and iPadOS, your messages are encrypted on your device so they can't be accessed without your passcode. iMessage and FaceTime are designed so that there's no way for Apple to read your messages when they're in transit between devices.

Are Passkeys better than passwords?

Passkeys can reduce the risks of account compromises because it removes passwords, which can be leaked, exposed or stolen, from the authentication flow. Plus, passkeys are not reused across sites like passwords can be, so the risk of stolen credentials affecting other accounts is less.

Are Passkeys secure?

With end-to-end encryption, Google and Apple can't see or alter the passkeys. Apple has designed its system to keep passkeys secure even if an attacker or Apple employee compromises your iCloud account.

Is Apple FaceTime secure?

FaceTime is end-to-end encrypted. The phone number or email address you use is shown to the people you contact, and you can choose to share your name and photo. Apple retains limited information about the use of FaceTime, such as when you attempted a FaceTime call for up to 30 days.


2 Answers

You could easily use a network sniffer while the phone is on WiFi to figure out this information. It sounds like it is actually critical that you use SSL with some sort of secure token in the URL.

If this is not an option perhaps you can provide your own proxy service that would use SSL and security tokens? Proxy also grants the ability to throttle requests and block users known to be malicious. Throttling puts an upper bound on the expense each user can incur within a given time interval. Another benefit of a proxy is that it allows one to gather statistics and measure the costs incurred by different users facilitating malicious user detection and business planning. Proxy could also save you some money if the service behind it is stateless by adding a cache that would remove a lot of expensive calls.

like image 90
Adam Zalcman Avatar answered Sep 19 '22 13:09

Adam Zalcman


If the Web service is not encrypted, it would be trivial to use a proxy to intercept the Web requests made by the phone. If the expensive Web service does not offer at least some form of basic authentication, I would seriously reconsider including its URL in a public app.

like image 41
Mike Fahy Avatar answered Sep 19 '22 13:09

Mike Fahy