tags:

views:

139

answers:

2
+1  Q: 

Protecting Data Feed for iPhone App

I am creating an App that pulls data from a file on my server. That file gets data from my database, based on GET values that are passed through the URL.

I would like to keep this feed closed - that is, I don't want people finding the datasource and reading the data on their own. I considered sending an alphanumeric id along with the url string, but if they can find the URL that I am calling, then there won't be anything preventing them from grabbing that alphanumeric id also.

I am looking for any ideas or experiences that might help me here.

Thanks.

+2  A: 

You could use HTTPS, that will prevent casual observation of the data transfer, although it won't protect it completely.

You could also require that the user login to retrieve the feed, it would be relatively easy to side-step a user registration process by using the device's UDID as the account value, then just asking the user for a password.... this method could still be abused by a malicious individual, but once you introduce user accounts you can throttle the requests.

You can also use a guid or hash in the url string to prevent a casual observer from just iterating through all possible values to scrape your database.

jessecurry  2010-03-25 16:38:40
I am assuming there isn't a way to automatically get someone's UDID when they first download the app? I'm thinking I could make a user for each person that downloads the app, using their UDID as their usercode. I wouldn't require a password, but if someone's UDID was making a crazy amount of calls to the data, I could cut them off - but if I have the code auto-create a user account whenever the UDID doesn't exist, someone could just sidestep the whole thing, forcing it to create a new user every time.
Chris  2010-03-25 17:09:27
You can't get it via the App store, but when the App is first run you may call `[[UIDevice currentDevice] uniqueIdentifier]`, it will return a GUID for the phone, you can then send this to your server.
jessecurry  2010-03-25 17:18:55
That would work, but my point is that if I'm allowing the user to send me their UDID from their device, then someone could get the the URL of the datasource and send in a fake UDID.
Chris  2010-03-25 17:24:37
Yeah, I mentioned originally that it could be abused by a malicious individual, but it adds another layer of complexity to any attack, and allows you to do some throttling. You'd probably want to store the IP and the UDID that was passed in, to prevent multiple UDIDs being submitted from the same place too quickly.
jessecurry  2010-03-25 20:20:17
A: 

There really isn't any way to prevent people from reading your feed. You can put in obfuscation, but the fundamental problem is that anyone can download the app and examine it to find out any secret that you use to hide the data.

However, something that would hide it from the casual observer would be to store a key in the code segment of your app and then (over a TLS link), pass that key to the server, which would then grant access.

Andrew Pouliot  2010-03-25 18:21:10

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode