How to access PHP webservice securely from an Objective-C/iOS app?

Asked

Viewed 352 times

4

I’m making an application where I need to securely send user data to the Web Service using PHP. For this, I’m researching security for iOS.

What is the recommended method and what are the points I should be concerned about?

Please preferably quote references to documents or security tutorials.

1 answer

3


For an initial search, I suggest you start reading this document: iOS Security Guide (in English)

Before sending (offline storage), starting from page 9: Encryption and Data Protection

Sending the data, start from page 23: Network Security

Now that the question has been edited, I understand that you probably want to interact with the server using HTTP GET or POST via TLS (also known as HTTPS).

In that case, I suggest you follow the Apple specification on this link: Making HTTP and HTTPS Requests (in English)

Safety recommendations:

  • If your server is configured correctly (valid certificate, SSL disabled), you already start with good security.
  • It could increase security more by manually checking that the server certificate is the real one (practically mandatory if the certificate is customized). It will increase even more if you use DNSSEC.
  • If you configure the application to send the client certificate, it will increase even more (but in this case, it will depend on the server to validate the certificate).

From the security aspect, you will notice that iOS does not support DNSSEC. If you base your system’s security solely on what the vendor’s API offers, you’re at risk. You need to first choose the communication protocol, and base your needs around it.

For not citing references, consider my recommendations as opinions. Mainly because some of them are optional, others are not practical, and some are not necessary. In short, it depends on several factors.

  • The link you recommended is good, but it’s an Apple post of how their services work with Security. I would like something more specific about sending and receiving data to a back-end.

  • 2

    When you said "to be sent," I understood it as being before you sent the data. In the case of "sending" or "sending to the server", it would start from page 23, Network Security. Then I would choose one of the methods listed there, and focus on finding specific tutorials (to avoid too broad a response in Stack Overflow).

Browser other questions tagged

You are not signed in. Login or sign up in order to post.