views:

27

answers:

2

Whats the best way to make this a more secure and less obvious security risk?

NSString *loginIdentification = [NSString stringWithFormat:@"user=%@&pass=%@&", userNameLogin, passWordLogin];

    addressVariable = [NSString stringWithFormat:@"%@/%@", url, loginIdentification];
    addressVariable =  [addressVariable stringByAddingPercentEscapesUsingEncoding: NSUTF8StringEncoding];

    NSURLResponse* response = nil;
    NSError* error = nil;
    NSData* data = [NSURLConnection sendSynchronousRequest:request returningResponse:&response error:&error];
+1  A: 

Make sure you're using an https connection and not an http connection.

Dave DeLong
But the user name and password are still in plain text and are easily seeable. When I use the submit button to login with the web interface for the same site I cannot see the username or password in the logs. How can I get the same result with NSURLRequest?
S-T-R-E-G-A
@STREGA - see Marc's answer about not putting the username/password in the URL.
Dave DeLong
+1  A: 

Instead of putting the sensitive information in the URL (via GET), use the POST method and put them in the body. That way, they won't show up in your server logs.

Marc Novakowski
+1 i totally missed that they were going into the URL. You should *never* put sensitive information in the URL (since that has to be sent in plaintext). The body, however, is fine (as long as you're using https).
Dave DeLong