iOS security sending data with password to and fro

2019-07-16 14:23发布

I'm building an app that needs to send the password from the user's device to be authenticated on the server before the server does any operations. it goes like this:

  1. User has a plain text password on their phone that is also in the server as a bcrypt binary.
  2. user wants to get something from the database, so user sends their ID & Password to the server via (currently plain text. its bad).

        NSString *url = [NSString stringWithFormat:@"%@f=getUserInfo&ID=%@&password=%@",[[Globals global] operationServerName], self.ID, self.password];
        NSData *data =[[NSData alloc] initWithContentsOfURL:[NSURL URLWithString:url]];
    
  3. server hashes the password it got from the user and retrieves the already hashed password from the server and makes a comparison, if they match, it gets something from the database

The problem is that the ID and Password are sent to the server over plain text and i have no idea what to do or implement to make it secure such that it avoids eavesdropping attacks. i have absolutely no idea what to do but i heard ssl/tls would help, if anyone could on an elementary level explain to me how to fix the problem or point me in the right direction, i'd REALLY appreciate it! Any tips or explanations on how to improve this would be awesome! I'm totally clueless.

also server side wise, it'd be good to know what i should add there to make it possible in the app. I'm currently using a local server, but when it goes live, it'll be from a hosting company

1条回答
可以哭但决不认输i
2楼-- · 2019-07-16 14:35

You need to send data through HTTPS connections instead of HTTP. That way the data flow between the client and the server will be encrypted.

You need to install a SSL Certificate on your server.(If you are unaware of installing just ask your host provider to do it). Now instead of returning http link in your global method [[Globals global] operationServerName] return HTTPS (https://example.com)

This should take care of encrypting data flow between server and client.

Reference: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

查看更多
登录 后发表回答