8

I am building an app which gets JSON-encoded data from a web server. Right now, anyone can access the server-script that gets the data, and potentially access sensitive data.

So, what is the best way to ensure that the app is what's getting the data, and secure the traffic between the server and app? The server-script is PHP.

Thank you.

Jacob Relkin
  • 161,348
  • 33
  • 346
  • 320
Emil
  • 7,220
  • 17
  • 76
  • 135

2 Answers2

4

You should use nonces

Here's a great tutorial on how to generate an MD5 hash in C:

http://www.saobart.com/md5-has-in-objective-c/

Jacob Relkin
  • 161,348
  • 33
  • 346
  • 320
  • I have looked into nonces, but I can't figure out how to use it. And that library has many design flaws around it, unfortunately… And the main problem about nonces is the fact that hashing a string in Objective-C is nearly impossible... – Emil Dec 18 '10 at 23:58
  • 3
    Nearly impossible? Are you on drugs? And I mean that with all due respect. – jer Dec 19 '10 at 00:03
  • I second @jer's position. I work at a game company, and I can tell you from experience that it most definitely is possible to use nonces in C. – Jacob Relkin Dec 19 '10 at 00:04
  • @Emil Have you done any research on how to generate MD5 hashes in C? I doubt it, because if you had, you would not have said that it was "nearly impossible". – Jacob Relkin Dec 19 '10 at 00:09
  • Hah, no, I'm not on drugs, but I have seriously been trying all day to implement nonces, with no progress what so ever. Would be nice with a guide… – Emil Dec 19 '10 at 00:10
  • @Emil : Note that Objective C is a pure superset of plain ANSI C. When in doubt, just use any C code. – hotpaw2 Dec 19 '10 at 07:38
1

So, what is the best way to ensure that the app is what's getting the data

In general, you can't. The best you can do is use some sort of login system, but anyone sniffing packets will be able to figure that out.

and secure the traffic between the server and app?

Use TLS, i.e., HTTPS using SSL.

Shaggy Frog
  • 27,575
  • 16
  • 91
  • 128