3

I'm writing an Apple iOS app that login to a account and fetching some balance. It use a plain html link for the login:

https://www.myaccount.com/login.jsp?username=myusername&password=mypassword

The username and password is dynamically loaded to the login link at runtime.

I've sniffed the traffic using Wireshark and I couldn't find the username or password in any of the packages being sent. I guess the SSL(?) thing of "https" have encrypted the query.

I'm I right? Is this a safe way? Any other thoughts? How should I handle the password in the app to avoid security issues? Is it cached? Do I need to encrypt it if I want the app to remember my password?

user872661
  • 251
  • 2
  • 13

2 Answers2

5

Although technically safe as Sjoerd pointed out, this is just great for social engineering. In the internet cafe: "Dammit, that's a cool article. Can you email me the URL real quick?"

You won't believe how many people fall for this kind of stuff.

Another drawback is that Browsers tend to cache URLs, so again very unsafe in situations where multiple people have access to the same machine.

A much better way is to use HTTP Basic Authentication or at least HTTP POSTing the data.

emboss
  • 38,880
  • 7
  • 101
  • 108
1

This is secure in the sense that it can not be sniffed, since the request is sent over an encrypted HTTPS channel. However, it does show up in the address bar of the browser and possibly in the log files of the server.

The safer way is to POST the username and password to the JSP page, so that they do not show up in the URL.

Sjoerd
  • 74,049
  • 16
  • 131
  • 175
  • Hmm, well I don't have a address bar so I guess it's ok then? NSURL *url = [NSURL URLWithString:@"https://www.myaccount.com/login.jsp?username=myusername&password=mypassword"]; NSError *error; NSString *loginPage = [NSString stringWithContentsOfURL:url encoding:NSASCIIStringEncoding error:&error]; – user872661 Aug 01 '11 at 11:21