0

I'm aware multiple questions have been asked on the topic but none have really answered my specific question.

My app

I have a PHP-based API that retrieves AND posts information from my MySQL database. I use it to check for login, to create new accounts, but also to retrieve simple data from the database. My app isn't on the AppStore yet, and right now, my API has no security whatsoever: it's the first API I've ever made, and I was just focusing on the basics. Now it's over, I want to add some security. I've done lots of research and oAuth seems over the top and way too difficult for what I'm trying to do here. I'm confused on the oAuth topic, about 2-legged or 3-legged oAuth.

Let's say I want this simple scheme to be secured: 1) users enters login information 2) iOS app sends credentials to PHP-based API server 3) API checks in database if login credentials are correct 4) API returns (in jSON) the result of the request 5) App process the jSON

This is the current flow. What is the most simple way to secure this? Is oAuth worth it or can I make a simpler, hand-made encryption system with a private key only my app and my API would know and that I would simply add in the POST?

AdamMc331
  • 16,492
  • 10
  • 71
  • 133
el-flor
  • 1,466
  • 3
  • 18
  • 39
  • 1
    If you are set on rolling your own really look at [CHAP](http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol), it is reasonably simple, avoids replay attacks and is well understood. – zaph Nov 30 '14 at 22:23

1 Answers1

1

General rule of thumb for security is to go with a tried and tested solution. As such oAuth with some external sign-in method (Like Facebook, Google, Twitter etc) is a good way to go. I think you'll find that it's a lot less work actually than rolling your own user data base, password handling, authentication and so on.

However if you're not keen on doing this, there are most likely complete PHP frameworks for adding security, for example PHP-LOGIN. If you insist on doing it yourself, the answers here might provide some detail: Developing a secure PHP login and authentication strategy although I strongly advise against implementing your own security solution unless you're an expert in the area.

Community
  • 1
  • 1
Rick
  • 3,240
  • 2
  • 29
  • 53
  • Thanks for the answer Rick. Point is: I already have my own website with my own databae and my users, so I can't just skip that. I'll look into the PHP-login framework. Nothing iOS specific? Thanks – el-flor Nov 30 '14 at 21:18
  • I see. But in that case you already have a login function I guess? Provided that it's secure, you can simply use the same security measures on the iOS device, I take is you use a session token or similar? – Rick Nov 30 '14 at 21:23
  • Yes for the login I use a session token indeed. I just can't seem to translate it to iOS/PHP. What would be wrong with the encryption of a key that I would pass to the PHP server to decrypt and compare? What are the dangers if it's hand-made? – el-flor Nov 30 '14 at 21:32
  • If you want to send passwords in clear text over the wire they have to be encrypted and even then it's a risk. Here is some good reading on password-related security: http://stackoverflow.com/a/401684/1091402. Regarding how this works on iOS, it works the same way as it does in your browser, however you may need to store the session token in a slightly different way. – Rick Nov 30 '14 at 21:38
  • 1
    Thanks a lot for the insight & help – el-flor Nov 30 '14 at 21:39
  • No problems, hope you find a solution :) – Rick Nov 30 '14 at 21:41