1

I'm diving into web development and I've built a few basic rails apps, but now I'd like to begin learning how to securely connect my iOS apps with my Rails apps. For example, if I want my iOS app to query my Rails webapp for some data from the DB by passing parameters in the url...

http://mywebapp/mycontroller/search?q=keyword

...what are some common web development methods I can use to prevent anything (or anyone) other than my iOS app from successfully executing that search query?

I'm sure this type of forgery that I'm trying to prevent has a formal name, but I'm very new to web development and I'm still learning all the jargon. Thanks so much for your wisdom!

BeachRunnerFred
  • 18,070
  • 35
  • 139
  • 238

3 Answers3

5

Use the trick that Rails uses in the protect_from_forgery by generating a unique key for you iphone app. Then ensure that your app passes that key in the requests to the server. You can then write a before_filter to ensure that the request possesses the key. If it does then you process the request. If it does not then you return an error with a custom message explaining why they can't have access.

Wes
  • 6,455
  • 3
  • 22
  • 26
4

You could create a hash and use it as a token which would be passed with each call to identify your application (hard coded value in the app) and the session (current ip address of the client.) So: hard_coded_value + ip_addressed -> MD5/SHA1 (whichever) = token. Your server would also have a copy of the hard coded value as well as the calling client's ip address, perform the same hashing function and compare the results. If they match, it's your app. If not, then it isn't.

Paul Sasik
  • 79,492
  • 20
  • 149
  • 189
  • good one.. also check user agent in request object is ios before performing this. – Naren Sisodiya Apr 16 '11 at 04:53
  • Thanks, Paul! I'm trying to implement this approach and I'm finding out that it's extremely difficult to get the IP address of the iOS device. Every method I've found has been some horrible hack or it uses a private API, which will get my app bounced from the app store. It appears, at first glance, that Apple doesn't want developers accessing this data, which is stupid. Still looking... – BeachRunnerFred Apr 16 '11 at 18:47
  • If I can't get the IPAddress easily, can you think of another piece of data I can use in its place? Thanks again! – BeachRunnerFred Apr 16 '11 at 18:58
  • You can try and read the IP from a web site like this one: http://www.whatismyip.com/ The IP is a good piece of data because it's transient. If reading it doesn't work, you could just go with a hard-coded value that is hashed along with whatever resource the client is requesting from the server. – Paul Sasik Apr 16 '11 at 20:01
1

you should add HTTP basic authentication in your web app (search file) Refer these links -

http://en.wikipedia.org/wiki/Basic_access_authentication

http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic.html

Basic HTTP Authentication on iPhone

NSURLConnection and Basic HTTP Authentication in iOS

Community
  • 1
  • 1
Saurabh
  • 22,743
  • 12
  • 84
  • 133