iPhone HTTP Request Security

Question

hey

I don't know much about these type of things so please excuse the NOOBness

I am sending a HTTP Request to a server and I want the server to know that the request is authentic, so I have a p12 with a certificate and key (pre-made by the server) bundled with my application that I extract and use as a credential when I send my request to the server, and get a challenge.

But im wondering how secure this is? My password to decrypt the p12 is in my code and therefore is that string not able to be seen by someone who cracks my apps binary? If so then wouldn't they be able to decrepit the p12 and use it to make a malicious request to my server?

Thanks

Answer 1

Have you considered using HTTPS with client-certificate authentication? This would definitely solve your authentication problem, but I'm not sure how this works within the iPhone. (Safari has issues with the way client certificates are chosen, for example.) This would do the authentication at the transport level (TLS, under HTTP).

If you want to do this at the message level (within HTTP), you could also use a digest that you sign with the private key in the header. There already is a standard header for digests (Content-MD5) for digests, but I wouldn't recommend MD5 because of weaknesses discovered recently. Try SHA-1 or above perhaps. Those digests wouldn't be signed, so you would need an extra header to sign this (e.g. X-Content-RsaWithSha1), and perhaps another one to send the certificate if the server doesn't know which certificate to expect in advance. You would also need to support reading and verifying those custom headers on the server side.

The HTTPSec specification addresses message-level security at the HTTP level, although I'm not aware of any iPhone implementation.

Regarding the security of the p12 file, if your app intends to use it, you're going to have somehow to ship its password if it's bundled within the app, so cracking the binary would also certainly reveal that password and thus the private key.