0

I am a complete newbie in this topic so please excuse me for my ignorance. Our company has a PHP based REST service created for consumption by an iPhone app. We make several POST calls to the REST API: www.mywebsite.com/api/rest and we send the method name and the parameters to the service. The service in turn returns a XML response which is GZip encoded. This is working fine.

I am assigned with a task to secure these call so that data that is getting passed to the service is not in plain text/is not visible using tools like Charles Proxy and other sniffing tools. In the past I have used some iPhone apps which also makes REST calls but they don't show up in such tools. I would like to know how to implement such a thing in a normal PHP based REST service so the data getting transmitted is not visible/ can be made secure.

I thought about using HTTPS but if we use HTTPS, I hear from others that the service/server will become slow and I am not too sure if the iPhone client will accept HTTPS calls.

Please advice.

Thanks in advance, Senthil

senthil
  • 13
  • 3
  • 7
    Whoever told you that SSL shouldn't be used because it's slow sounds like somebody to whom you shouldn't listen. – David Mar 22 '11 at 13:25
  • David, I agree with you. I just came to know that the performance implication if any is only 1/5th of a regular HTTP call. My only concern is that the calls which we will be making are pretty short ones (like sending a username and password and receiving a boolean). – senthil Mar 23 '11 at 12:34

1 Answers1

6

It sounds like you're trying to secure the transport layer, and assuming that's the case then SSL/TLS is surely the way to go. Yes, chances are there will be some performance impact, but the security is probably worth it.

Brian Driscoll
  • 19,373
  • 3
  • 46
  • 65
  • Also, read this question for more info on the performance impact: http://stackoverflow.com/questions/149274/http-vs-https-performance – gnur Mar 22 '11 at 13:27
  • 1
    Although you can still SSL on Charles if the iPhone installs Charles Certificate, so it won't be hidden from everybody – Tom Mar 22 '11 at 13:27
  • 1
    You should never expect to be able to give data to a user's device but keep it secret from the user. – Quentin Mar 22 '11 at 13:29
  • We have finally decided to use a SSL certificate and make the sub domain which hosts the API alone SSL secured. So, is it enough if we just get a SSL certificate for the sub domain and install it through cPanel/Plesk or is there more to it? – senthil Mar 23 '11 at 12:37
  • Also, would someone here have an idea if anything special has to be done on the iPhone client to accept/parse data from such HTTPS REST API? – senthil Mar 23 '11 at 12:38