Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to securely send private data over a web socket to an objective-c client and back to the server?

Tags:

php

objective-c

cocoa

sockets

I am making a wss:// connection to ratchet (a PHP socket library) using SocketRocket (an Objective-c socket library).

I plan to send private data over this socket connection and then send the data back to the server with a https:// request.

The objective-c code:

//initiate global variable
@property (nonatomic) NSMutableArray* keys;

...

//receive the private data with SocketRocket
- (void)webSocket:(SRWebSocket *)webSocket didReceiveMessage:(nonnull NSString *)string
{
    [_keys insertObject:string];
}

...

//$_POST the file data with sthttp
STHTTPRequest *r = [STHTTPRequest requestWithURLString:@"https://example.com/test.php"];
r.POSTDictionary = @{ @"key":_keys[0] };
...

Is there any possible way that a client can intercept this private data (within reason [buffer overflow, man in the middle, etc...])?

like image 995
maxisme Avatar asked Oct 17 '22 16:10

maxisme

2 Answers

If you are using wss:// and https:// protocols, you don't have to worry about a man in the middle attack since all the data being sent is encrypted anyway.

However if under any circumstance you have to send data over an insecure protocol or URL query string, you can encrypt the data yourself using PHP's open SSL module and send it in clear text (eg:$_GET params).

Example: http://php.net/manual/en/book.openssl.php#91210

In this example $crypttext will be binary data. This can be encoded into a base64 string and the url encoded if you need to send it via a GET or POST request.

urlencode(base64_encode($crypttext))

On the receiving end you can base64 decode and url decode to get the binary information and then decrypt the data using the private key as shown in the example.

base64_decode(urldecode($crypttext)

like image 66
Arithran Avatar answered Oct 20 '22 23:10

Arithran

I would recommend that your certificates are all up to date and make sure your private key cert is protected and not accessible to anyone but you.

One note to remember is that if you are doing any logging, you might end up logging data that you want secure. I would double check your logging policy and make sure you are ok with it. Sometimes information will be passed along the url as query params and then those are logged to the servers log files.

If there is any history that you are saving, make sure to check that out or any caches on the mobile devices just in case.

like image 29
Ray Hunter Avatar answered Oct 20 '22 23:10

Ray Hunter
Sign in to Comment

Related questions

Get number from a string after specific character and convert that number
Laravel: Nesting query join results in a sub array
Class definitions in the same file cause fatal error
laravel get all models with relations and the relations of these relations
Can I override the AuthenticatesUsers login() method to implement a custom login involving a call to a REST web service in this Laravel application?
Get "Speaking URL path segment" from english version
Why should i use JWT not simple hashed token
Make column auto incrementable with Laravel Migration
When do I need to use password_needs_rehash()?
Laravel APP_URL not changing
Difference between Request (Facade) and Illuminate\Http\Request
Docker Image installing php modules
Free shipping depending on weight and on minimal cart amount
PHP: String to multidimensional array
Searching for a string in a file in a different language - PHP - UTF-8
How to handle MySQl null dates returning '-0001-11-30 00:00:00'
Change Zend_Auth storage backend $_SESSION to Memcached
php password_verify not working with database [duplicate]
php - context node in xpath problem
Good single sign-on solution for Laravel [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!