tags:

views:

269

answers:

1
+1  Q: 

iPhone Security Guidelines

Silly question: Does Apple provide specific guidelines for contacting servers via http vs https? Also, what data is considered to require https (ie password, geopoint, bank data, etc.) Is there a concrete guideline from Apple on this? More specifically, does anyone know exactly how Apple checks/verifies that an application should or should not be "pulled" from the appstore? Does this even exist or is it a secret?

My manager is worried about not getting approved unless we do everything via https. I think this is a big mistake. Our application basically deals with timesheet and expense data for employees (ie I drove this number of miles, worked on this project for 2 hours, etc.) Because, subsequent to logging in, there are no passwords, geopoint locations, etc., I feel that https for authentication only would be ideal for obvious performance reasons. But perhaps there's are specific guidelines from Apple? Search on http://developer.apple.com, but didn't find, help/links would be appreciated. Thanks all.

+2  A: 

One answer to your question is that Apple wrote this Secure Coding Guide, containing the following paragraph:

No network should be considered to be secure without the use of a secure networking protocol. Even if you are using an internal network with no connections to the Internet, you need to use secure communication protocols and encryption to protect critical data. In a 2005 security survey by CSO magazine (in cooperation with the U.S. Secret Service and Carnegie Mellon University Software Engineering Institute's CERT Coordination Center), 23% of respondents said current or former employees were the greatest cyber security threat. Because 21% of the companies surveyed weren't sure who was the greatest threat, the real number may be higher. Software to intercept network communication packets is readily available. It's not paranoia to think that one of your employees might be trying to steal secrets over your internal network.

but please consider the following. The question should not be "what is the blanket recommendation", but then nor should it be "what does my boss want". The questions should be - what risk is there in allowing the data to travel unencrypted, what risk or cost is incurred in mitigating that risk, and where does the balance between those two lie? What risk/cost is the company willing to accept?

Graham Lee  2009-01-19 22:43:54
Ha, I'm reading that guideline right now ;) So far, a lot on Buffer Overflows, etc.
Rob  2009-01-19 23:03:37
I'd linked specifically to the paragraph about network transport encryption! I've now quoted it.
Graham Lee  2009-01-20 08:39:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security