People need to log in to start using my app. They can register themselves on my website and their passwords are stored using Bcrypt. When they login in the app I transfer the password as plain text in a GET request (https://website.com/file.php?pass=password) to a php file which is using Bcrypt again to compare the password to the one stored in my database. My website uses a SSL certificate and with that a HTTPS connection at all times. So my NSURL starts with a HTTPS request. My question is, is it safe enough this way or is it completely unsafe? If so what would you suggest to validate the login of the user?
Asked
Active
Viewed 83 times
3
-
1Use POST, not GET. – SLaks Mar 10 '16 at 23:35
-
@SLaks will that be enough security? – Polo Swelsen Mar 10 '16 at 23:36
-
@zaph That's true, thank you for correcting me. – Polo Swelsen Mar 11 '16 at 00:05
-
Good to know why not to use GET for sensitive information. – zaph Mar 11 '16 at 01:41
2 Answers
2
I think that using HTTPS is a great start. As zaph points out, you might want to check to make sure that your server is using TLS 1.2.
I agree with SLaks, though, and advise against GET request. Section 9.4 of RFC 7231 warns "Authors of services ought to avoid GET-based forms for the submission of sensitive data because that data will be placed in the request-target. Many existing servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties. Such services ought to use POST-based form submission instead."
As you're thinking about NSURLSession security, I'd suggest that you make sure that you do not do any caching during user authentication, perhaps even using an ephemeral session, so that this data that you've gone to such lengths to encrypt isn't unintentionally stored elsewhere unencrypted.
I might also suggest watching WWDC 2015 videos Security and Your Apps, Privacy and Your App, and Networking with NSURLSession. These don't tackle your question directly, but they do touch on some some broader security/privacy issues.
-
Well thank you hero! This gave me a lot of confidence about where to go from here! I appreciate your time taken to answer my question – Polo Swelsen Mar 11 '16 at 05:38
0
HTTPS is safe if the server is using TLS 1.2 and perfect forward secrecy. Also if the server is using 2-factor authentication and the second factor is well controlled.
But you also need to pin the certificate in your app to prevent MITM attacks.
zaph
- 111,848
- 21
- 189
- 228