I have an iOS app which communicates with a web app; both are made from me. The iOS app is meant to be used by a few persons (less than 10) so I don’t need to have giant security checks (there’s no user name nor password, merely an identifier to differentiate the persons).
My initial thought was to restrict by IP addresses, in order to prevent hackers from manipulating my web apps (e.g. by figuring out the URL scheme and sending commands). I tried so, but since users are supposed to access the iOS app by phone, the GSM address isn’t fixed and I can’t make a white list (unless I figure out all addresses that are valid in my country, but I doubt).
So I’m thinking of simply not checking the IP address and assume the URL scheme can’t be discovered by hackers (HTTPS should not disclose such data, right?); the fact that an identifier is needed (the server refuses to handle the request otherwise) makes me guessing it’s enough, but is it? The identifier is passed as a parameter in the URL.
Thanks.
What alternative would you recommend, keeping in mind that it’s for friends, and I’d like to avoid hassling them with complex log-in methods? (actually, they just enter the identifier at first use and won’t have to remember this later).
If you block IP ranges, the hacker will try through various proxy servers in various countries to see if they come through.
And users are disappointed if they can’t use the app while on vacation.
it may be good to have something to prevent someone to capture the request and replay it.
What does the app do? If it handles data that is even remotely sensitive, your friends will appreciate the fact that you require some authentication, no matter how minimal.
Well, it’s just a checklist (to-do list). Nothing confidential. Knowing my friends, several don’t want to be bothered by authentication.
Thinking deeper, I realise I’m more concerned about hackers possibly corrupting (e.g. taking control of) my server/app rather than confidentiality.
Thanks.
Yes, I already do this. But the credentials must be sent to the server to be validated; it’s where I’m fearing a hacker could monitor the connection, see the URL and reuse it later (even if I encrypt the credentials, the hacker can just use the encrypted string).
Authentication is fine; I’m just not sure if accepting all IP addresses isn’t a big breach (I guess).
Thank you.
You’ve got this all turned around in your head. A basic, secure channel system would look like this:
Connection between client and host is established over a secure channel such as HTTPS. Nothing inside a HTTPS connection can be observed by a hacker – the URL is encrypted, as is all GET and POST data.
The client authenticates with the server. If the authentication fails, no further communication is permitted.
If authentication succeeds, the server issues a token to the client that it can reuse for further communications to identify itself to the server. HTTP is a stateless protocol, which means that the HTTP server doesn’t have any way to keep track of clients - that is handled one step higher on the stack (in this case, your client and server software). The token is usually a random A-Z0-9 string of arbitrary length that is not derived from the username or password.
The client makes more requests, each one including the authentication token. Because all requests are made via HTTPS, the tokens can’t be observed by any other actor. The token helps the server identify the client and maintain any necessary state.
When the client is done, it “returns” the token to the server by making a final request to the server which logs it off and destroys the token. This prevents token reuse.
There are more sophisticated ways of doing this, but for your average client-server situation, this will be sufficient.