0

I recently was asked to create a PHP image upload script that only allowed uploads to come from an iOS application written in Objective-C. Along with the upload come with a key and id $_POST field that is used to validate the user. How could I possibly prevent third parties from attempting to upload an image?

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Zach
  • 442
  • 1
  • 5
  • 12
  • 1
    See http://stackoverflow.com/questions/21465559/restrict-api-requests-to-only-my-own-mobile-app – rmaddy May 03 '15 at 19:01

1 Answers1

0

A static key doesn't offer much security. Somebody could just use a packet sniffer to capture the key and then use the same key in their messages.

A much more rigorous approach would be to have the server send a challenge with a random value in it. The iOS app would encrypt that value with the private key of a public/private key encryption scheme and send the result to the server. The server would then use the public key to decrypt the message and verify it.

Duncan C
  • 128,072
  • 22
  • 173
  • 272
  • With https (SSL/TLS) and cert pinning the sniffing is not a major issue. As for the challenge-response there is the: [CHAP](http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol) standard. – zaph May 03 '15 at 23:56