tags:

views:

280

answers:

1
Q: 

Iphone VPN security

When developing an application, there might come a time where I would want to establish a secure connection like a vpn with a client. An iphone is the topic here. Once the user has established this, is all IP traffic routed when I suggest it do so? I'm curious about some open port or inspection of vpn traffic.

Is there any method available with the SDK to validate that no data has been sent "around" the route that I suppose the switch activates?

The problem is more of a question in the inherent security of the iPhone. If I say that all traffic should go through the vpn I've selected, is there anything buried in the API's or even the SDK that points to the base operating system (osx) being able to talk to another ip address without going through the proxy? If I am at a location using 3G and my app is using VPN to secure data, I have to make sure there is no backdoor or leakage that I have missed.

A: 

If you've got a typical client-server configuration, you should configure the server so that access is only possible via VPN. This means that you can tell if the user is connecting via VPN on the client side, because if they weren't they wouldn't be able to connect.

Other than reachability tests, there's no way of "knowing" if the user is connected via a particular VPN configuration.

Nathan de Vries  2009-08-27 05:27:25
This does raise a good question about making -sure- that we are still connected via VPN. The icon could be done with a jailbroken device, but I am interested in something else.I need to know that if my users are instructed to go to settings and the VPN, will the iphone continue to talk to push servers, etc, over non secure communication.
phreaki  2009-08-27 22:30:36

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security