views:

533

answers:

1

Hi,

I am about to start to developing an iPhone application that should login and communicate information securely between the app and a web server. I haven't done much development in this area before, so I have done some research and would be very thankful for any input on how to handle this in the best/easiest way.

Currently, the people developing the web server does not know/have a system of handling requests from the application I will develop, so they will most likely need to create something new.

Authentication: From what I understand, using HTTP authentication is not safe at all, and the best approach would be to use HTTPS? What would be the difference in the iphone application if using HTTPS or HTTP? I suppose the server and the client would need a certificate and what does apple think about using SSL?

Regardless? of what I choose, is this how it works?: 1. Create a NSURLConnection with the server, listen to the didReceiveAuthenticationChallenge callback and respond with the user/password 2. use the connection created to send any other information?

Communication with the webserver: The application requires to send about 20 different request to the server and needs to act on the responses. Would SOAP or any other web service be a good way to handle this? I believe that SOAP is pretty much XML over HTTP, so in a application this should be as easy as creating a NSMutableURLRequest and then parse the response with an XMLParser?

Or is there another much better solution?

Thanks

+1  A: 

From what I understand, using HTTP authentication is not safe at all, and the best approach would be to use HTTPS?

Yes. Data transferred over HTTP is transferred as plain text, which means your passwords, credit card info, etc. are all interceptable as they wind their way through the public Internet. Data transferred over HTTPS is encrypted, so only the the client and the receiving server can decode it.

What would be the difference in the iphone application if using HTTPS or HTTP?

Essentially no difference. There's a little overhead for encrypting the data, but not much.

I suppose the server and the client would need a certificate and what does apple think about using SSL?

Yes, the server would need an SSL certificate. GoDaddy sells them for about $25/year. Apple is perfectly fine with you using them.

ceejayoz
The server can also use a self-signed SSL certificate if you don't want to spend money on an official one. The NSURLConnection has a delegate method that you can implement to accept self-signed certificates.
St3fan
Interesting, thanks!
ceejayoz