0

Based on this link: https://github.com/RNCryptor/RNCryptor

I've learned that this is a basic method to encrypt NSData

NSData *data = [@"Data" dataUsingEncoding:NSUTF8StringEncoding];
NSError *error;
NSData *encryptedData = [RNEncryptor encryptData:data
                                    withSettings:kRNCryptorAES256Settings
                                        password:aPassword
                                           error:&error];

And here is my code doing POST request to PHP-based server.

NSString *parameter = [NSString stringWithFormat:@"userid=%@&password=%@",useridStr, passwordStr];
NSData *parameterData = [parameter dataUsingEncoding:NSUTF8StringEncoding];

NSURL *url = [NSURL URLWithString: @"http://mywebiste.com/server.php"];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];
[request setHTTPBody:parameterData];

[request setHTTPMethod:@"POST"];
[request addValue: @"application/x-www-form-urlencoded; charset=utf-8"  forHTTPHeaderField:@"Content-Type"];
NSURLConnection *connection = [[NSURLConnection alloc]initWithRequest:request delegate:self];

And in PHP server :

 <?php
    $userid = $_POST['userid'];
    $password = $_POST['password'];

    ...

 ?>

My question is

How would i received data in PHP server if the whole parameter

NSString *parameter = [NSString stringWithFormat:
                         @"userid=%@&password=%@",useridStr, passwordStr];

is encrypted??

Is there a way to encrypt ONLY NSString, and attached them to the parameter like this?

NSString *parameter = [NSString stringWithFormat:  
                         @"userid=%@&password=%@",ENCRYPTED_USRID, ENCRYPTED_PWD];
Simon McLoughlin
  • 8,293
  • 5
  • 32
  • 56
Joon. P
  • 2,238
  • 7
  • 26
  • 53
  • I don't understand what you are asking here. Yes the last block of code is fine, have you tried it? – Simon McLoughlin May 19 '15 at 16:09
  • I was asking if there is a way to encrypt NSString only.. so PHP server can receive them using $_POST['somedata']; – Joon. P May 19 '15 at 16:16
  • above codes encode whole NSData and is sent to PHP – Joon. P May 19 '15 at 16:17
  • So encode each string separately and then convert the `NSData`'s to strings. Have you made any effort to research this? – Simon McLoughlin May 19 '15 at 16:18
  • Yes links like http://stackoverflow.com/questions/1400246/aes-encryption-for-an-nsstring-on-the-iphone only deals with NSString -> NSData.. I want to attach encrypted NSString to POST parameter .. so i can parse it in PHP – Joon. P May 19 '15 at 16:44
  • If you're doing what it looks like you're doing... you really should be using SSL. Otherwise, someone could grab the encryption password from your iOS app binary & decrypt all user information in transit. SSL would prevent that from happening. –  May 19 '15 at 17:04
  • Thanks i should dig into SSL for this – Joon. P May 19 '15 at 17:11

1 Answers1

0

If you encrypted the whole POST string PHP would not really know how to parse the data into the $_POST superglobal array. You'd probably have to get the raw request from the raw input stream php://input, decrypt it, and then parse it yourself.

The second method where only the userid and password values are encrypted would be preferable for simplicity's sake as the PHP code you've posted would work as-is.

I can't speak on the ObjC code though, I'm not fluent in it.

Have you considered just using SSL to encrypt the connection so you don't have to bother with implementing the crypto yourself in the application?

Sammitch
  • 30,782
  • 7
  • 50
  • 77