Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

authentication - Secure https encryption for iPhone app to webpage

I want to sell an iPhone app, that will house a single web view to a web page, say http://www.myapp.com/webview/ I would like the app to effectively store the credentials required for authentication at the website (ie only someone who has bought the app can view this page)

How else would I have a secure, simple webview on the iPhone, without requiring the user to log in(essentially they buying the app will constitute their authentication to the page)

Can anyone help with this?

Question&Answers:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

There is no absolute way to achieve this goal. If you have a web service that uses a shared credential (one bundled in the application), then it will be possible to reverse engineer that credential. Ultimately it is impossible to ensure that a client running on another machine is "your" client.

There have been many discussions of this. It is not hopeless, only impossible to solve 100% (or even 90%). A simple shared secret over SSL will stop the majority of your attackers without harming your users or costing a lot to develop. It is obfuscation, not security, but cheap and "mostly effective" is much better than expensive and "mostly effective."

If you have a very high-value product, then it may warrant more aggressive (expensive) solutions. All of these solutions include one of two things:

  • Authenticating the user rather than the program, or
  • Continual vigilance, watching for new attacks and responding with fixes that patch them.

The latter is very expensive and never ends. Make sure it's worth it.

Some other useful discussions:


EDIT I wanted to point out one thing about my mention of "shared secret over SSL." Remember that if you don't verify the certificate, you are subject to very easy man-in-the-middle attacks. Readily available proxies like Charles can do this. The best approach is to make sure that the SSL certificate being returned is signed by your root certificate, not just "any trusted certificate." You can reconfigure which certificates are trusted by your application with SecTrustSetAnchorCertificates(). iOS5:PTL covers this technique in Chapter 11 (page 221). I've also wrapped this into a library called RNPinnedCertValidator.

Another good layer is to implement a challenge-response system where the server authenticates that the client has the shared secret without ever putting it on the wire. The Wikipedia article on Challenge-resonse authentication includes a good explanation of the algorithm.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...