0

I've got two questions about php security with iOS App

Question 1 :

I build a iOS application and this app call php files but I want to restrict the access of this php file.

I want to reject the access to php files from the web.

Example : if a user fill a url with www.mydomain.com/phpLocation/file.php I want to reject the user with HTTP 403 code.

How I can do it ?

Question 2 :

I create a connexion.php file who contains database informations username, password... and I protect the access of this file with a .htaccess

It's enough to protect the database informations?

Thanks,

Arnold Mapps
  • 190
  • 3
  • 11
  • You could use something like this SO answer demonstrates: http://stackoverflow.com/questions/6322112/check-if-php-page-is-accessed-from-an-ios-device for your first question. If it is not an iPhone, simply die() – Geoherna May 18 '16 at 19:01
  • I already try this solution but it doesn't work, I will try again and tell you – Arnold Mapps May 18 '16 at 19:05
  • You could also include a custom header that your iOS app specifically sends when making the request, and check for that data in PHP. It it exists, you know its the app, if not, cause php to die() or return 401 – Geoherna May 18 '16 at 19:09
  • in my post method I add a variable and then check if my variable is sended ? – Arnold Mapps May 18 '16 at 19:12
  • Yea something similar to that. What I would do it make my PHP code more API like. I would Create myself an API key and include it from my iOS app as an Authorization Header. Then in php I would check to make sure that Authorization header is present and valid. If it is, we know that this is the app. – Geoherna May 18 '16 at 19:14
  • ok thank you for your response – Arnold Mapps May 18 '16 at 19:35

1 Answers1

0

Question 1

You can use this way (Check if PHP-page is accessed from an iOS device) but is a weak verification, because anyone can send this agents and by pass your security. A better way is to combine previous solution with some verification token or other http header, that only your iOS app will have. Still, people can steal this token and access your application, but it will be harder. Make sure you are using SSL.

Question 2

It should be, or anyone who uses Apache HTTP server will be doomed. But maybe you still want to put on some directory that only your SO has access. Any changes in this .htaccess can open your config file.

Community
  • 1
  • 1
Felippe Duarte
  • 14,901
  • 2
  • 25
  • 29