8

So here's the situation, I've got an iOS app that has a part where users input information into specific labels, and then I create a URL request based on the users given information, and send this over to my PHP backend. The URL follows the below structure:

http://www.somewebsite.com/send.php?title=hello&name=john&contact=email

Now the problem with the above is that anyone who has access to the URL, can easily bombard the database with spam, too many submissions, etc. It feels very insecure. What should my approach to making this process as secure as possible be?

My current knowledge level with PHP is being able to get tasks accomplished by simply using methods that "get the job done" (regardless of how safe they are), but now I'm starting to get to the point where I need to keep security, safety, etc in mind. Helpful advice/insight will be greatly appreciated. Thank you!

Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
Vimzy
  • 1,871
  • 8
  • 30
  • 56
  • read this http://stackoverflow.com/questions/15273705/security-when-using-rest-api-in-an-iphone-application/15277589#15277589 – Fatti Khan May 18 '15 at 07:33
  • http://stackoverflow.com/questions/14452137/secure-api-for-ios-without-user-account – Fatti Khan May 18 '15 at 07:34
  • Do your users have accounts in your app (or the underlying server)? That makes the task much easier. – halfer May 18 '15 at 08:19

2 Answers2

3

The best way to secure this is to lock your server-side components (i.e. the PHP part) behind an OAuth2 authentication layer. I personally recommend this OAuth2 Server for this purpose.

The general workflow will be like this:

1. Send an API key/username/password/etc to an API endpoint (i.e. a URL)
2. Get a token, store it in memory for future use
3. Send this token on subsequent requests

This solution is superior to sending a hash (e.g. MD5) of the data, because this does not authenticate anything. It also addresses the underlying problem rather than hiding it (e.g. POST rather than GET does nothing for securing your communications). However, OAuth2 does not provide confidentiality. A man in the middle can still see/mangle your requests.

To better protect your users you should be using HTTPS (TLSv1.2 with PFS) on your app. Exclusively. Don't even have a port 80 HTTP server that does anything more than redirect to your HTTPS server. Also send HSTS and HPKP headers, if iOS supports them.

If you need better security than HTTPS + OAuth2 offers, I suggest learning application security full-time because the more detailed and intricate solutions will only make sense if you have a great breadth of knowledge on the subject. (Depending on your threat model, of course!)

For example, the defense against an attacker reverse engineering your app to recover hard-coded API keys is simply not to have them, which complicates your workflow and possibly requires authenticating each user.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
  • 1
    Good advice but learning about security is a large topic. If the OP wants real security hire a domain expert. If the OP is only interested the appearance of security--canry-on. – zaph May 18 '15 at 16:24
  • Thanks a lot for the information. PHP security is now starting to appear very deep in scope. What you outlined above will be more than ample for my purposes. Much later on, I will need to look into a few more advanced tpoics though. Thanks. – Vimzy May 18 '15 at 17:25
  • @zaph Certainly, but I believe having security education more accessible is a good thing for society. (If anyone wants to hire a domain expert, I am of course available through [my company](https://paragonie.com)! :P) – Scott Arciszewski May 18 '15 at 19:42
  • @Vimzy You're welcome. Feel free to ping me on Twitter, via email, etc. if you get stuck with anything in that repo or in my answer here. :) – Scott Arciszewski May 18 '15 at 19:43
  • 1
    @ScottArciszewski I agree about the education! Personally for a starter I like [*Cryptography Decrypted*](http://www.amazon.com/Cryptography-Decrypted-H-X-Mel/dp/0201616475) by H. X. Mel. You get to meet Alice, Bob and Eve. ;-) – zaph May 18 '15 at 20:22
-2

Add a username/password and key on your parameter. Make your own combination (Encrypt if possible) then always check it first so the process will be minimize.

If the credentials where wrong stop the process.

John Maui Sanchez
  • 1
  • 1