Securely Sending PHP Get Information from iOS

Question

So here's the situation, I've got an iOS app that has a part where users input information into specific labels, and then I create a URL request based on the users given information, and send this over to my PHP backend. The URL follows the below structure:

http://www.somewebsite.com/send.php?title=hello&name=john&contact=email

Now the problem with the above is that anyone who has access to the URL, can easily bombard the database with spam, too many submissions, etc. It feels very insecure. What should my approach to making this process as secure as possible be?

My current knowledge level with PHP is being able to get tasks accomplished by simply using methods that "get the job done" (regardless of how safe they are), but now I'm starting to get to the point where I need to keep security, safety, etc in mind. Helpful advice/insight will be greatly appreciated. Thank you!

Answer 1

The best way to secure this is to lock your server-side components (i.e. the PHP part) behind an OAuth2 authentication layer. I personally recommend this OAuth2 Server for this purpose.

The general workflow will be like this:

1. Send an API key/username/password/etc to an API endpoint (i.e. a URL)
2. Get a token, store it in memory for future use
3. Send this token on subsequent requests

This solution is superior to sending a hash (e.g. MD5) of the data, because this does not authenticate anything. It also addresses the underlying problem rather than hiding it (e.g. POST rather than GET does nothing for securing your communications). However, OAuth2 does not provide confidentiality. A man in the middle can still see/mangle your requests.

To better protect your users you should be using HTTPS (TLSv1.2 with PFS) on your app. Exclusively. Don't even have a port 80 HTTP server that does anything more than redirect to your HTTPS server. Also send HSTS and HPKP headers, if iOS supports them.

If you need better security than HTTPS + OAuth2 offers, I suggest learning application security full-time because the more detailed and intricate solutions will only make sense if you have a great breadth of knowledge on the subject. (Depending on your threat model, of course!)

For example, the defense against an attacker reverse engineering your app to recover hard-coded API keys is simply not to have them, which complicates your workflow and possibly requires authenticating each user.