I am building a secure app for our exec's... here is my setup. It's a somewhat Macgyver approach, but bear with me :)
- There are only 10 users, I have a record of each uniqueIdentifier on my backend in a database table. (This is internal only for our users, so I don't believe I am breaking the public user registration rule mentioned in the API docs)
- Through adhoc distribution I install my app on all 10 devices
- My app is simply composed of a UIWebView.
- When the app starts it does a POST to our https site sending the uniqueIdentifier. (Thanks to this answer)
- The server page that recieves the POST, checks the uniqueIdentifier and if found sets a session cookie that automatically logs them into the site.
- This way the user doesn't have to enter in their credentials every time.
So what do you think, is there a security hole with this?
Thanks