php - How to secure an authentication in swift -


i'm quite new programming apps ios. i've had deeper creating login app. procedure quite clear me have couple of concerns regarding security aspect.

a) app sending credentials provided user api can written in php. api going verify credentials , sending response app. isn't big security issue? isn't possible verify credentials has adress of api?

b) secondly haven't seen tutorial encrypts credentials in app before sending them api. if encryption let api job. proper way encrypt them in app , send encrypted credentials api? need store secret key in app?

i'm asking because proper way right beginning. thanks.

first, start saying make sure server has ssl , ipv6 functionality ready. (taking care of these right of bat, prevents app being rejected when goes app review)

in term of securing api routes, jwt token. jwt works passphrase or certificate (meaning private , public keys, think when want ssh server without password).

i'd preferred use certificates, need make sure don't lose these certificates, because once app ready sale these specific certificates allow app talk api.

once routes of api secured, i'd:

  • generate & store default token app's keychain (its purpose allow access api once)

  • from api side, create route (/generate_token) read default token, , if valid generate new token , send response.

  • delete default token keychain , store new token there.

when ios app first launched, have kind of isalreadyfetchedtoken = false variable saved userdefault. variable allow track if have new token or not.

if isalreadyfetchedtoken == false {     // load default token variable      let default_token = ...    // create custom http header     let header = ["authorization": "bearer \(default_token)" ]    // access /generate_token route api      // if response should contain new_token      // save new token keychain && remove default 1    // update userdefault var true       isalreadyfetchedtoken = true  }

now every time want access api, you'd load token keychain, , pass api routes' authorization header example [authorization: "bearer" + new_token].

this 1 way, , not way


Comments

Post a Comment

Popular posts from this blog

PHP and MySQL WP -

i trying accomplish 2 things here code. writing php directly wp page using insert php plugin. 1) query mysql database , return results 1 column 4 columns. 2) make each result own hyperlink directs user new wp page runs new query on page. i able query show results , turn results dynamic hyperlink, cannot formatting down. right returns result 1 column. here have: [insert_php] $servername = "localhost"; $username = "login"; //edited privacy $password = "password"; //edited privacy $database = "database"; //edited privacy // create connection $conn = new mysqli($servername, $username, $password, $database); // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } echo "connected successfully"; //get results database $result = mysqli_query($conn,"select mine mines order mine"); $all_property = array(); //declare array saving property //showing proper...
Read more

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m...
Read more

go - golang pprof for c library code -

i have been trying profile golang application pprof, seems details of c code(linked static library) missed in output result. flame graph from frame graph can see c code time consuming reported within "runtime._externalcode", no details @ all. , sure static library compiled debug enable. so there way make pprof details(like stack trace) of 3rd party c code? or there other golang profiling tool this?
Read more