views:

1326

answers:

5

I'm building an iPhone application that talks to a Ruby on Rails backend. The Ruby on Rails application will also service web users. The restful_authentication plugin is an excellent way to provide quick and customizable user authentication. However, I would like users of the iPhone application to have an account created automatically by the phone's unique identifier ([[UIDevice device] uniqueIdentifier]) stored in a new column. Later, when users are ready to create a username/password, the account will be updated to contain the username and password, leaving the iPhone unique identifier intact. Users should not be able to access the website until they've setup their username/password. They can however, use the iPhone application, since the application can authenticate itself using it's identifier.

What is the best way to modify restful_authentication to do this? Create a plugin? Or modify the generated code?

What about alternative frameworks, such as AuthLogic. What is the best way to allow iPhones to get a generated auth token locked to their UUID's, but then let the user create a username/password later?

A: 

Have you tried to use another auth scheme like Authlogic? I've found restful_authentication rather intrusive (although I cheated by using bort).

Keltia
Yes, restful_authentication seems fairly intrusive. I'll take a look at Authlogic, although, I've come up with a temporary alternative by modifying restful_authentication directly (but this does not future proof upgrades of it).
Kevin Elliott
+5  A: 

I think you shouldn't use the phone identifier alone to authenticate as it is not a secret and it is probably also guessable/predictable. Don't forget that if someone wanted to hack your web app they don't have to use your code - they can just guess device IDs and try to mess with your users data using any web client.

You should treat the device ID similar to a username - it is for identification and not authentication. I suggest you get the user to pick a password, or even better generate a random code automatically, to go with it - then send the device ID + this password/code to register the device firstly, and then subsequently to authenticate the device.

You can also bet that some users will have more than one device - either they will replace one eventually, or you will get somebody like Stephen Fry who goes around with 4 iphones. To deal with this I would suggest that you look for a way to instantiate restful_authentication twice, once for authenticating users, and a second time for authenticating devices. I haven't used this plugin but I expect you just need to use different table parameters to make this happen. Then in your application logic allow users to associate more than one device with their account.

To do that securely either do it from the device, or have the device display a random code which they then enter into the web app to prove they own the device (this sounds more painful than it is - it is the same process that apple use in itunes, apple TV, and the remote app - look at how they do it - so it won't be that surprising for users).

(Also make sure that when generating any random passwords you use a cryptographic random number generator as the basis - there is probably an iPhone API for this - otherwise your passwords may be predictable).

frankodwyer
Thanks Franks. That is all great advice about a security scheme for authorizing devices. It does not quite answer my question about a technique for modifying restful_authentication. I think you bring up some excellent points though!
Kevin Elliott
well really I'm suggesting you don't modify restful_authentication - rethink your scheme so you can use two different instances of it - one to authenticate devices and another to identify users. Plus application logic to allow binding N devices to a user.
frankodwyer
Do you have any suggestions on how to do that?
Kevin Elliott
frankodwyer: Is the device UUID less secure than, say, any other API key out there? API keys are usually 40 characters long or longer, how long is the device UUID?
August Lilleaas
I don't recall the length offhand, but it is of that order. However it is not really a secret. It is available to any application running on the phone, for example. It is also visible in itunes when the phone is connected. People hand it out to developers when they are participating in betas. And there are probably apps sending it in the clear over wifi. Last but not least, it cannot be changed - thus disclosure is a catastrophe and there is no way to recover.
frankodwyer
Frank: How do you suggest I use AuthLogic to authenticate both User and Device? Does it make sense to allow Devices to authenticate directly?
Kevin Elliott
A: 

Generate random password in Rails link text I am using Restful_authentication plugin for one of my projects. As part of my user creation workflow, system should to generate a random password for the new user.

+1  A: 

Did you ever figure out a solution to this?

Nick Treffiletti
No. I'm still looking for a good solution. Right now it looks like I need both User and Device to be authenticatable. I'm considering creating a base class that they both extend, and have all the objects owned by the base class. Not sure if that will really work well yet.
Kevin Elliott
A: 

What do you think on using the UDID and a random password generated using the UDID + a sitewide defined salt?

Something like:

salt = 'afG553Dvbf3'

udid = '1234567890'
pass = Digest::MD5.hexdigest(udid + salt)

And send that password to the iPhone for the next time it connects.

Leandro Ardissone