3

We're looking to use the UDID to authenticate a user against server-side web services for an iOS application. My one concern is that users will try to brute force access to another user's account by making auth attempts using random UDID values. I can work on things such as throttling their requests, however I was curious if there is a way to make a "signed" request.

Meaning, is there a way I can certify that the client with UDID foo was generated and sent from the device that UDID foo belongs to, and not some random user with access to curl and a ruby script to call my service multiple times?

I think what I'm looking for is a signed http request. I'm not sure where to start building out such support on either the client or server though.

randombits
  • 47,058
  • 76
  • 251
  • 433

2 Answers2

2

Those GUIDs are huge. The chance of guessing one seems extremely remote. I'd guess it would take several millennia to come across one 'randomly'.

You are almost surely at more risk of someone sniffing an existing one or using their access to the user's device to obtain it.

Honestly, given how easy it would be to obtain a user's udid, I'd be surprised if Apple didn't recommend against using it that way.

All it takes is for me to email one of your users with a link to my "cool new free game" and bam I've got the udid.

Or, sitting in a coffee shop, and sniffing WiFi traffic - waiting for some ad-sponsored game to send the udid over the wireless for tracking purposes.

But...

How about Client SSL Certificates?

How to use Client Certificate Authentication in iOS App

Or Signed XML Documents?

http://en.wikipedia.org/wiki/XML_Signature

Honestly, there is only so much you can do in this regard.

You'll never be able to stop a truly determined bad guy from cracking open your .ipa and extracting a client side ssl cert - or whatever other mechanism you have to thwart someone.

I'm just saying - since you are distributing the application (this isn't an in-house application running point-to-point over the internet) there is really no way to truly secure the client (mobile) side code - and thus, no way to truly ensure only authorized clients are making requests to your service.

Ultimately, the burden of security is on your services.

Community
  • 1
  • 1
Steve
  • 31,144
  • 19
  • 99
  • 122
1

You should give a try to HTTP authentication

teriiehina
  • 4,741
  • 3
  • 41
  • 63