tags:

views:

51

answers:

3
+2  Q: 

How to send data to webserver and know it comes from a certain application?

Hello all. I'm trying to send data from my application to a webserver. The catch is that I want to encrypt the sent data and also make sure it comes from my application. (From what I've read so far it's easy to decrypt the data if it's not sent via HTTPS. On the unique application I didn't find anything except the Application ID Apple provides for each application but I don't know how that works).

The data sent are various highscores and achievements that the user can enable. The thing is that the user doesn't have to type in anything but his username and having that associated with the UDID it should be enough. But how to make sure it's from my application?

Edit:After reading some responses around here I still didn't understand something: If someone extracts the IPA and reverse engineers it wouldn't he have access to all my .h and .m so he can look up anything in there?

A: 

If you are using HTTPS then you can just put an identifier key in your POST to the web server, either as a field or perhaps an HTTP header that identifies your app. The entire connection is encrypted so it will be protected. If you do this you will want to encrypt the key even in your binary and decrypt it as you send it over the connection, that way no one will be able to pull it out with a hex editor.

Ben  2010-10-21 14:59:01
Could you explain how to encrypt my key in the bynary? Because I'm not quite sure what a binary is. You mean the .h and the .m files? Or the actual .app of the application? And if someone extracts the ipa and looks at the files there isn't it enough to find my identifier key?
UnrealAZ  2010-10-22 08:59:16
Yeah put it in the source files but run it through a pre-processor before you use it. For example the key could be 70 but you store it as 93 and run it through a method like x-23. (As an extremely basic non-algorithmic example!) Inspection of the application binary (the compiled program) would only reveal the 93.
Ben  2010-10-22 20:39:52
"run it through a pre-processor" you kinda lost me here. What is a pre-procesor supposed to be? I have a variable x in my code with the default value of 93 and when I authenticate I do x-23?
UnrealAZ  2010-10-23 11:25:45
+1  A: 

You could generate a client certificate for the iPhone app, and use mutual authentication for your SSL handshake. Then you know that data submitted to the server come from a particular user of the app, and that your app is communicating with the correct server.

Regarding your edited update, yes if someone reverse-engineeres your app they can probably work out how the high-scores are protected. But seriously, how much trouble do you expect most people to go to in order to fake a high score in a game? Are you offering a cash prize or something?

Graham Lee  2010-10-21 15:25:52
Maybe I didn't understand correctly but to know that it's a user of my application wouldn't he require to login or something?
UnrealAZ  2010-10-22 08:58:17
So if you perform the SSL handshake with a client certificate, you know _which client_ is connecting. Of course, you don't know who's using that client, because you don't know who your users give their phones to.
Graham Lee  2010-10-22 10:26:16
I'm a big noob at this so I have one more question. The user doesn't log in to send the data. I have to add the SSL certificate to my application?
UnrealAZ  2010-10-23 11:23:39
A: 

Another approach if all you want is to know that the data comes from an authentic instance of your application is to use message authentication codes (MAC). I leave deciding how strongly the key needs protecting as an exercise to the reader - you know your security requirements better than I do.

You can use CommonCrypto - part of the iOS SDK since forever - to actually generate the MAC.

Graham Lee  2010-10-22 10:28:35

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode