1

I'm developing a client-server app, the client is an iPhone device that communicants with my c# server. The client and server use a textual protocol that i have designed to exchange messages over TCP sockets. Can someone please give me some guidelines how to add basic security to this app? At this moment the only security element i have is client authentication with log in username and password. But for example anybody can see and read the messages sent between client and server without any problem...

Eyal
  • 10,777
  • 18
  • 78
  • 130

2 Answers2

2

In the mobile environment the user of the application has more control over the device than you do as a developer. There is no way to hide a secret password or key. You must account for a malicious client, so be careful about the functionality that you expose.

Sending the username and password in plain text is a violation of OWASP a9. You should consider using SSL/TLS or HTTPS.

rook
  • 66,304
  • 38
  • 162
  • 239
  • Thanks for the reply, What do I need to do to add ssl protection? I saw that c# has a sslstream is that enough to use it instead of the regular stream? How do I get private and public keys? Does it cost money? – Eyal Oct 08 '11 at 17:20
  • @Eyal A certificate is just a number and numbers are free. You generate it with the openssl command that comes with every *nix system. (I'm sure you can do this under windows as well but its probably more difficult). For this you can use self-signed certificates and distribute the client with the server's public key. The point of this is that you don't want an easedropper to sniff a client's username/password/other information. – rook Oct 08 '11 at 20:05
  • Im asking because i saw some posts that says it cost money to get a SSL certificate.. Is there any tutorial you know for using SSL in objective c and c#? – Eyal Oct 08 '11 at 22:02
  • @Eyal singing certificates costs money, and if you get it signed you still have to generate one. – rook Oct 09 '11 at 00:32
  • Sorry I'm confused with the self-signed and the signing certificates, when i use self-signed certificates it does not cost money? but when i use sign certificates it does cost? – Eyal Oct 09 '11 at 08:31
1

Have you looked at openssl? SSL are cryptographic protocols that provide secure communication. SSL will prevent others from listen on the stream between your client and server.

One thing more you should do is to validate all server input, to prevent executing malicious code on your server. For example if you have a database where you store user input you should take a look at SQL injection.

Mattias Hagström
  • 211
  • 3
  • 8