I am making a wss://
connection to ratchet (a PHP socket library) using SocketRocket (an Objective-c socket library).
I plan to send private data over this socket connection and then send the data back to the server with a https://
request.
The objective-c code:
//initiate global variable
@property (nonatomic) NSMutableArray* keys;
...
//receive the private data with SocketRocket
- (void)webSocket:(SRWebSocket *)webSocket didReceiveMessage:(nonnull NSString *)string
{
[_keys insertObject:string];
}
...
//$_POST the file data with sthttp
STHTTPRequest *r = [STHTTPRequest requestWithURLString:@"https://example.com/test.php"];
r.POSTDictionary = @{ @"key":_keys[0] };
...
Is there any possible way that a client can intercept this private data (within reason [buffer overflow, man in the middle, etc...])?
If you are using wss:// and https:// protocols, you don't have to worry about a man in the middle attack since all the data being sent is encrypted anyway.
However if under any circumstance you have to send data over an insecure protocol or URL query string, you can encrypt the data yourself using PHP's open SSL module and send it in clear text (eg:$_GET params).
Example: http://php.net/manual/en/book.openssl.php#91210
In this example $crypttext
will be binary data. This can be encoded into a base64 string and the url encoded if you need to send it via a GET or POST request.
urlencode(base64_encode($crypttext))
On the receiving end you can base64 decode and url decode to get the binary information and then decrypt the data using the private key as shown in the example.
base64_decode(urldecode($crypttext)
I would recommend that your certificates are all up to date and make sure your private key cert is protected and not accessible to anyone but you.
One note to remember is that if you are doing any logging, you might end up logging data that you want secure. I would double check your logging policy and make sure you are ok with it. Sometimes information will be passed along the url as query params and then those are logged to the servers log files.
If there is any history that you are saving, make sure to check that out or any caches on the mobile devices just in case.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With