IOS app verification

Question

IOS app verification

We have an iOS application that interacts with various web services on the server. The backend, however, wants to confirm that the request arriving at it relates to our actual iOS application, and not to a re-attack or a man in the middle attack. In the end, we will go over all our calls to https. However, is there a way in which the backend can confirm the request comes from our legitimate application? We thought of using a cryptographic nonce with every request, but it would still be prone to a man in the middle attack. Is there a certificate exchange that can be used between the iOS application and the server?

+6

validation iphone certificate ipad

Hetal vora May 17, '11 at 15:13

source share

5 answers

sergio · Answer 1 · 2011-05-17T15:33:51+0000

How to use the private / public key scheme so that the iOS application can sign each sent request?

if the private / public key scheme can sound scary, the same idea of "signing" your requests can be easily implemented by hashing your crypto-tax code using sha1 , sha2 or other cryptographic hashing algorithms. it would be fairly easy to implement (the implementation is easily accessible), fast and would provide a higher level of security.

Will ross · Answer 2 · 2011-05-17T15:42:22+0000

Support for TLS and SSL client authentication using certificates. NSStream can support client-side authentication, but I could not find a way to do this without abandoning the use of OpenSSL for a real implementation.

Addition
ASIHTTPRequest supports client certificates since version 1.8, so there is no fuss in its implementation.

Justsid · Answer 3 · 2011-05-17T15:37:05+0000

I would suggest using OAuth. This is well known and understood and largely safe, and in case someone receives your token, you can issue a new one with an application update and revoke the old one.

more tension · Answer 4 · 2011-05-17T15:47:22+0000

This is a common issue with http, not just an issue with iOS. In fact, it is the https problem that is intended to solve, or at least mitigate. You can sign the request, use HMAC to authenticate the message, use digest authentication, etc., but as long as you use http, the man-in-the-middle attack cannot be easily detected. Spend your time on https as fast as you can.

Colin · Answer 5 · 2011-05-18T16:30:19+0000

This problem cannot be solved absolutely. Everything that you invest in your circuit may ultimately be violated by jailbreaking the phone and starting the client in the debugger. Of course, this does not mean that you cannot complicate the falsification of your client using client certificates and something else, and you should. But if, for example, the security of financial transactions depends on the fact that your application is not tampered with, it would be bad ...

IOS app verification

More articles: