ansaurus

Question

Is it worth while to hide/obfuscate server connections in an iPhone app? If so how?

Answer 1

+1 A:

You dont really need to hide them...what you should do is have an extra key such as a secret, that one IS hidden and is only present in the signature of the call (which can be an MD5 hash or sha (or whatever)) without that secret key people wont be able to just make calls since the signatures created by the server and the offender wont match since they dont know the secret key used...

Daniel 2010-05-10 14:57:41

How do you hide the secret key?

Phillip Jacobs 2010-05-10 15:35:43

It's included in the signature , u can make a signature say by having parameters followed by an equal sign and it's values in abc order on a string the append the secret key to the end, take the sha hash or md5 hash of that and send it as the signature to the Service call, on the server side the same steps take place , only if the signatures match do you allow for the call to proceed

Daniel 2010-05-10 16:37:03

If the attacker can read the secret key by running your binary through strings. Reverse engineering the generation of your signature is trivial.The trick is keeping the secret, secret.

Phillip Jacobs 2010-05-14 14:31:24

well its supose to be hard to reverse engineer hashes...this is what apis like facebook do...if it wasnt so safe they prolly wouldnt be doing it

Daniel 2010-05-14 15:04:57

also u can use ssl as an added layer of security

Daniel 2010-05-14 15:05:18

Answer 2

A:

I'm guessing that most hackers won't care all that much

It just takes one who's bored enough.

Has anyone done this or have any ideas/patterns/code to share?

This is what SSL is for. You can encrypt all your transmissions or just the login process (which would return a session id that can be used for subsequent requests during the session).

webbiedave 2010-05-10 15:05:16

SSL would help, but if the service credentials were stored in the app binary, running "strings" will spill all the secrets, then the hacker can just login to S3 as me and do what he likes.

Daniel Blezek 2010-05-10 15:30:14

Answer 3

+1 A:

You can hide your secrets in a webserver you have full control over, and then having this server relay the query to Amazon. You can then use whatever encryption/validation method you like, since you are not relying on what is supported by Amazon.

Once you have validated that the request is from your own application, you then rewrite the query including your secrets and then forward this to Amazon. The result from Amazon could then be relayed directly back to the application.

In php this could for instance be done using something similar to this snippet (not showing your url rewrite):

$fp = fopen($amazon_url,'r',false);
fpassthru($fp);
fclose($fp);

Claus Broch 2010-05-10 15:40:52

This is helpful, but I didn't want the overhead of running my own server (I'd rather let Amazon do this). But it's a good suggestion.

Daniel Blezek 2010-05-10 16:07:42

So run your server on EC2 then...

caf 2010-05-11 03:27:07

ansaurus

tags:

views:

answers:

Is it worth while to hide/obfuscate server connections in an iPhone app? If so how?

related questions