tags:

views:

50

answers:

4
Q: 

How to ensure/determine that a post is coming from an specific application running on an iPhone/iTouch?

Building an iPhone OS application that will allow users to anonymously post information to a web application (in my particular case it will be a Rails based site) ... and I want to ensure that I only accept posts that originate from a specific application running on an iPhone/iTouch.

How is this best accomplished?

(btw, if your answer applies to Android please feel free to post it here as well as I'm curious to know if the techniques are the same or vary).

Thanks

A: 

You could also add a hidden field in the form. or in the data being passed up if it is XML or other format

Romain Hippeau  2010-04-20 00:46:51
A: 

The best way would be to implement a known call and response pattern. Send a value of some sort (integer, string, hash of a timestamp) to the iPhone/iTouch application. Have the application modify this information in a known way and send it back for verification. Then all you have to do is use a different modification algorithm per-platform and that will verify what type of device is being used.

VERY simple example:

  1. Server sends 100 with the response to an iPhone.
  2. iPhone adds 10 to this value and sends back with request.
  3. Server detects the value was increased by 10 and now knows it was from an iPhone.

Then on your Android clients add 20 and on another platform add 30 and so on...

Jake Wharton  2010-04-20 00:56:31
Even better would be to hide this data inconspicuously in a header and then validate against an explicit HTTP header like Jacob suggested to spot spoofing attempts.
Jake Wharton  2010-04-20 00:58:41
The problem with this is that it is always the same data. This means the I could just record it and resend it from my bot that fakes requests to you rails site.
Janusz  2010-04-20 07:48:31
You don't use the same data though. Send the timestamp from the server with the response, cache it in the session, and then check the value from next request against it (i.e. if the client has added 1 year, 1 day, 1 hour, 1 minute, and 1 second to it and then MD5'd it).
Jake Wharton  2010-04-20 11:00:44
A: 

Encrypt or sign something using the public key of a key pair, then decrypt or verify it on the server with the private key. Ultimately, anything that can be sent can be duplicated, be it a spoofed html header or an encrypted block. The app has to know the secret handshake, and anyone with access to it (and sufficient technical skills) can figure out the secret handshake.

drawnonward  2010-04-20 02:07:05
A: 

I would suggest the following approach.

Build an ssl enabled access to your rails app. Now create a user account for every plattform you want to use and enable your applications to log in with the correct key. If you use the ssl standard in a correct way there shouldn't be a way to sniff the password and you can use standard components on the rail and the phone side of your app.

You then need to secure the login credentials on your phone with the appropriate technics. Eg. put it in the keychain on the Iphone.

Janusz  2010-04-20 07:53:39

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode