Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Limit web service access to iPhone app

I'm managing the development of an iPhone app that relies on web services to provide catalog access. My main security concern right now is someone accessing my web service and replicating/scraping my entire catalog (right now, it doesn't contain anything proprietary - but that would change).

In short, I need to limit the web service access to my iPhone app. While the app is in beta, I could easily get the iPhone device ID and limit it to only the 5 developers. But when the app goes live, I don't want (and not sure I can legally) collect device IDs for authentication.

I tried limiting access by the user-client string - but that can be spoofed.

My next step is some kind of shared pass phrase - but again, that can be sniffed.

Any other ideas?

TIA,
Guy

like image 260
Traveling Tech Guy Avatar asked Nov 07 '10 21:11

Traveling Tech Guy


2 Answers

Ultimately this is going to go down to authentication. I think you're going to have to use secure communications - namely some kind of certificate based encryption of some value that is only available to the iphone application.

If the Auth can be spoofed then you have no protection against this.

there is some info in this question : Best Security Framework to secure and authenticate an iPhone app which uses REST? or here

http://www.flowmessenger.com/blog/2009/11/10/iphone-and-secure-restful-authentication.html

like image 88
Preet Sangha Avatar answered Nov 05 '22 13:11

Preet Sangha


I have built a similar solution and the way security is addressed it with https access on the server and username password authentication to access the API/ webservice.

I believe you can feel more comfortable limiting by the device id or something else with a higher level of confidence once you implement HTTPS

like image 42
Aaron Saunders Avatar answered Nov 05 '22 13:11

Aaron Saunders