0
  • I have a question regarding API calls. I have a iOS app - that talks to a web server
  • The app make api calls. These api's calls are essentially using http and php/js file/function).
  • The api call (php/js) talks to the web server (http) and does some db (mongo) manipulation to pull appropriate content

What I would like to understand is how can I can hardcode a key or auth model in the iOS app in connection with my webserver to restrict the communication to the APP and the WebServer.

  • that way - someone does not call the API directly and introduce garbage in the db.
  • that way only the app (downloaded from the app store) can talk to the webserver/api server.

I understand this may not be the most secure manner to restrict communication between server and client - but I am open to other ideas as well.

thanks

hypermails
  • 726
  • 1
  • 10
  • 28
  • The question really is who you're trying to protect against, and the follow up is how much you're willing to spend to protect against them... – Wain Sep 08 '16 at 06:53

4 Answers4

0

You can use some token based authorization access structure, where on your web server you can define a key that it requires to be passed on api calls to have access.
See JSON Web Token for exemple.

Hope that helps :)

Luciano Almeida
  • 241
  • 1
  • 6
0

A really simple authentication scheme can be achieved like this:

  1. Client send an authentication request to Server
  2. Server validate the authentication request and responds to Client with an session ID
  3. Client put the Session Id in the header of others requests and Server validate it every time it receives a request.

Note this is a very trivial authentication scheme, prone to be insecure, however will achieve your goal of filter most of non authenticated requests. I really recommends that you read the article Session Management Cheat Sheet and follow its guidelines to improve the security of this scheme.

WelsonJR
  • 299
  • 3
  • 5
0

I would start from here. it's android mostly - but check it out. 1. How do popular apps authenticate user requests from their mobile app to their server?

  1. create a hardcoded oauth login account.
    https://aaronparecki.com/2012/07/29/2/oauth2-simplified

  2. Session management is an option (suggested above)

  3. https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication

  4. http://docs.appcelerator.com/platform/latest/#!/api/Titanium.Network.HTTPClient

Community
  • 1
  • 1
hypermails
  • 726
  • 1
  • 10
  • 28
0

There is an official blog about OAuth and Titanium that you might want to check out. It follows best practices regarding persistence, authentication and XHR-based validation.

Hans Knöchel
  • 11,422
  • 8
  • 28
  • 49