4

My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.

My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.

Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?

Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.

The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.

blkhp19
  • 482
  • 1
  • 5
  • 13
  • Let's see, you have an app sending HTTP requests to a PHP back-end right? Then it is technically impossible to shield your php from being hit from outside (or a hijacked version) of your app. – Fabrício Matté Aug 23 '13 at 04:50
  • SSL would be a good option to keep third parties from being able to sniff the credentials or session token from an authentic user. After that periodic regeneration of session id would make thing annoying for those that grabbed/guessed at a valid session id via nefarious means. Using techniques to combat [CSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) might also be useful in weeding out auto registration bots. – Orangepill Aug 23 '13 at 04:56
  • The SSL might be a good idea, but don't rely only on your interface (app) sending valid data. Do the proper validation and escaping (preferably using the PDO or mysqli driver) before throwing user input into queries. (see the last two parts from my [answer](http://stackoverflow.com/a/18347112/1331430) on a related topic) – Fabrício Matté Aug 23 '13 at 04:58
  • And obviously a dedicated hacker shouldn't have much trouble to memory-edit an iOS app or sniff/edit http packets, making app constraints/validation useless. (though I don't have iOS hacking experience) – Fabrício Matté Aug 23 '13 at 05:06

1 Answers1

6

As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.

Https

As you point out, this is an important part , as it prevents sniffing.

Sessions

Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).

Fingerprint

Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )

Obfuscate requests

Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2

Encrypt

This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.

Use unique shared secret

You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.

Lorenz Meyer
  • 19,166
  • 22
  • 75
  • 121