All geek questions in one place

Sending a password to the server

I ask myself. What is the best way to send personal information from your iOS device to the server.

At this moment, I encrypt the password in the application (sha1 salt password pepper), after which I send the data after using it from iOS to the server.

What is the best way to protect the user and protect him from any MITM attacks. Is my path safe enough?

UPDATE:

I have added an SSL certificate. To make sure that the user only needs to log in, I save the key generated during user registration. I retrieve them when the user first logs in. When combined with username and user id. Is this a good way? Only jailbreak users can read and take a chance.

+4
source share
1 answer

Password hashing on the client side will help prevent detection of the password itself during eavesdropping, but it really does not provide any security on its own, since the credentials then become a hashed version of the password, and not the original password itself. A listening device can simply grab the hashed version and then send the hash itself.

The easiest solution is to simply use SSL / TLS. Since you mentioned the β€œmessage”, this means that you are probably using HTTP. Instead, you can simply connect via HTTPS and publish the data, just like you. As long as the certificate is verified for validity (I believe that the iOS infrastructure already does this by default), then the connection should be largely provided.

This should be good enough for most situations. There are several more complex and attractive methods that you can use to simplify, but SSL / TLS does a huge amount on its own.

+7
source

Source: https://habr.com/ru/post/1437890/

More articles:


All Articles