I would like to develop a privately distributed iOS app with jasonette that acts as a gateway to my password protected website. The credentials to access the website would be embedded directly in the URL, i.e. "https://user:pass@website.com"
Which security risks are involved with this solution?
Here are some further considerations:
- The website should be only be accessible to those who own the app.
- The website in question is protected by SSL
- To those familiar with jasonette: both the URL pointing to the configuration JSON and the URLs within the JSON would be using embedded passwords
- The app will be restricted to an organization on Apple Store Connect
Here are some of my concerns:
- Undesired users of the device finding the login credentials in plaintext
- Malware on the device obtaining the login credentials from my app
- Man in the middle obtaining the login credentials while making a connection to the website (does the username:password part of the url get encrypted?)
