tags:

views:

131

answers:

1
Q: 

iPhone - Web Access Authentication

I am building a secure app for our exec's... here is my setup. It's a somewhat Macgyver approach, but bear with me :)

  1. There are only 10 users, I have a record of each uniqueIdentifier on my backend in a database table. (This is internal only for our users, so I don't believe I am breaking the public user registration rule mentioned in the API docs)
  2. Through adhoc distribution I install my app on all 10 devices
  3. My app is simply composed of a UIWebView.
  4. When the app starts it does a POST to our https site sending the uniqueIdentifier. (Thanks to this answer)
  5. The server page that recieves the POST, checks the uniqueIdentifier and if found sets a session cookie that automatically logs them into the site.
  6. This way the user doesn't have to enter in their credentials every time.

So what do you think, is there a security hole with this?

Thanks

+2  A: 

Since you are storing all your unique IDs in the application, each of which is a credential that unlocks access, all I need to do is steal one of your employee's phones or otherwise get a copy of the application to look for those keys.

If you need to store credentials on the phone, use the iPhone's Keychain.

Alex Reynolds  2010-03-14 07:33:35
Thanks Alex, I'll check out the KeyChain doc. Yeah, I had thought about if their phones were stolen. Most users have it setup to ask for their passcode every 4 hours. On your second point: I could store the md5 version of their uniqueIdentifier
Terry  2010-03-14 07:55:33
You might want to talk to a web app and/or iPhone security specialist, because what you're doing sounds a bit sketchy, to me. For example, md5crack would be one way to recover keys: http://md5crack.com/ Although the work you want to do may depend on how secure your application needs to be.
Alex Reynolds  2010-03-14 08:14:49

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode