iOS/Android to server transfer : Best way to keep transfer secure?

Question

I'm currently working on a project with the following actors:

• a web server hosting a zend php application with a database.
• 2 mobile apps (iOS and Android) which retrieve/post data from/to the server.

I'm using HTTPS (with a trusted certificate) to comunicate with the server. To retrieve data from the server, GET method is used. To push data to the server, mobile apps use POST method over HTTPS.

Some transfers, such as user sign in/user data update have to be secured because of their sensitive data.

What kind of solution should i use to enforce those transfers security?

Thanks for your help!

Answer 1

If you are having HTTPS then you already have the One level of Security. To add another level, you can encrypt and decrypt password before sending to server.

iOS supports AES256 Encryption.

See best practices here http://developer.apple.com/library/ios/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html

and iphone example here

http://developer.apple.com/library/ios/#samplecode/CryptoExercise/Introduction/Intro.html

I am not 100 % sure but you can get similar APIs for android as well.

Answer 2

SSL is the way to go and will send that data encrypted, so it cannot be read by anyone along the stream. Run all of your interactions over SSL so that you don't expose either the credentials (UN/PW) or the session cookie in an unencrypted form. SSL is the industry standard way to do this and meets all of the requirements you have specified.

If you want to restrict access to your server application to only your clients, you can deploy mutually-authenticated SSL. Embed a client-side SSL certificate in your client applications and configure your server to only accept incoming requests from clients that present that certificate when they connect.