Security implications to be aware of when writing a lightweight network file transfer protocol

Question

I have a desktop application that will 'sync' with an iPhone application. The sync is actually a simple file copy — the iPhone app is a viewer, so I don't have to deal with the complexities of actually syncing the data in a two-way manner.

I've written my own protocol since I need it to be lightweight, and I'm sending files that may be bigger than the RAM available on the device — therefore, the files are being streamed straight from the network to disk.

The files consist of one 'data' file (an SQLite database) and zero or more resources, which are pictures, PDFs, etc. Once the connection has been accepted, the client and the server communicate in chunks, which start with the following struct:

struct ChunkHeader {
    UInt32 headerLength;
    UInt32 totalChunkLength;
    UInt32 chunkType;
    UInt32 chunkNameLength;
    UInt32 chunkDataLength;
} __attribute__ ((packed));

After the struct comes a UTF-8 filename string immediately followed by the data for that file. The header struct contains the length of the filename string (chunkNameLength) and the length of the binary data length (chunkDataLength). chunkType contains the "type" of the chunk so the client knows what to do with the data, and can be one of the following:

typedef enum {
    kChunkTypePreSyncInfoDictionary = 0,
    kChunkTypeDataFile = 1,
    kChunkTypeResource = 2,
    kChunkTypeEndOfData = 3,
    kChunkTypeSyncCancelled = 4
} ChunkType;

Up to now, I haven't taken security into account at all. The sync will take place over a local WiFi network, which may or may not be encrypted. The data being copied doesn't contain sensitive information by its nature in the way a word processing document doesn't — there's nothing stopping the user entering sensitive details if they want to, but it isn't asked for.

So, what steps should I take to ensure the data is adequately secure? I'm working in Objective-C, but I'm not looking for language-specific answers, just concepts. Things I'm worried about:

• Should I take steps to prevent data spoofing?
• Should I take steps to actually encrypt the data?
• Should I take steps to ensure another application doesn't pretend to be my app and replace either the client or server with something else?
• Should I take steps to check the received data for something that causes damage?

Answer 1

"Should I take steps to check the received data for something that causes damage?"

Always. Unconditionally. Without Exception.

For your other questions:

• Should I take steps to prevent data spoofing?

• Should I take steps to actually encrypt the data? (snooping)

• Should I take steps to ensure another application doesn't pretend to be my app and replace either the client or server with something else? (spoofing again)

You said "The data being copied doesn't contain sensitive information" so snooping seems not to be a threat scenario you care about.

So, it looks like you're worried about some spoofing threat scenario (you mentioned it twice).

This is usually handled with some kind of exchange of credentials between client and server. Passwords work for user authentication. Some kind of certificate might work for client-server mutual trust.

The idea is to have "enough" information for the client and server to know the other party is trustworthy. Some folks are happy with a known URL. Other folks want some "shared secret" (like a password). Some folks need even more, and include numerous details in the protocol. Some folks include algorithmic details in the protocol (HTTP Digest Authentication, for example, requires the client to do a little algorithmic dance on data provided by the server.)