How to safely send personal data via a web socket to an objective-c client and back to the server?

Question

How to safely send personal data via a web socket to an objective-c client and back to the server?

I connect wss:// to the ratchet (PHP socket library) using SocketRocket (Objective-c socket library).

I plan to send personal data on this socket connection, and then send the data back to the server with the request https:// .

Objective-c Code:

 //initiate global variable @property (nonatomic) NSMutableArray* keys; ... //receive the private data with SocketRocket - (void)webSocket:(SRWebSocket *)webSocket didReceiveMessage:(nonnull NSString *)string { [_keys insertObject:string]; } ... //$_POST the file data with sthttp STHTTPRequest *r = [STHTTPRequest requestWithURLString:@"https://example.com/test.php"]; r.POSTDictionary = @{ @"key":_keys[0] }; ...

Is there any possible way that a client can intercept this personal data (within the reason [buffer overflow, person in the middle, etc ....])?

+5

php objective-c cocoa sockets

maxisme Mar 01 '17 at 11:44

source share

3 answers

arithran · Answer 1 · 2017-03-17T10:39:04+0000

If you use the wss: // and https: // protocols, you do not need to worry about the man in an average attack, since all the data sent is encrypted anyway.

However, if you have to send data using an unsafe protocol or a query string for a URL, you can encrypt the data yourself using the PHP open PHP module and send it in plain text (for example: $ _ GET params).

Example: http://php.net/manual/en/book.openssl.php#91210

In this example, $crypttext will be binary data. This can be encoded into a base64 string and the URL encoded if you need to send it via a GET or POST request.

urlencode(base64_encode($crypttext))

On the receiving side, you can decode base64 and decrypt the url to get binary information, and then decrypt the data using the private key, as shown in the example.

base64_decode(urldecode($crypttext)

Ray hunter · Answer 2 · 2017-03-14T23:26:31+0000

I would recommend that your certificates be updated and make sure that your private key certificate is secure and not accessible to everyone except you.

Keep in mind that if you are logging, you can write down the data that you want to protect. I would double check your journal policy and make sure everything is okay with it. Sometimes information is passed to the URL as query parameters, and then they are recorded in server log files.

If there is any story that you save, make sure to make sure that this or any caches on mobile devices just in case.

Wesley davidson · Answer 3 · 2017-03-20T23:09:07+0000

Note. You must use sha256 + TLS + protocols with secure ciphers.

Note. SSL + protocol is not secure and can be substituted for a person in the middle. Note: 1. Make sure you created the certificate using sha256 + 2. Sign the certificate. 3. Configure Apache or the web server to use SSL with TLS and Secure cipher support. 4. Verify that each host trusts the other ssl hosts. (If two ways)

Sorry, this is generally, but you need more information.

Regards, Wesley

How to safely send personal data via a web socket to an objective-c client and back to the server?

More articles: