Basically, we're trying to make sure that we limit just what type of client can contact our web service and limit it to our iOS and Android apps.
Using full challenge response seems to be frowned on since if we implement it, it's across all servers and this would break the current clients we have out there - something I didn't know when I asked this question. At this point, we're calling account setup URLs from the client, so we want to make sure that only our mobile apps can make the calls to the server. We want the server to trust just these clients. Thinking of sending messages with hashes of a special keyword sent from the clients. We are doing a roundtrip request with an emailed message to a URL that relaunches the app as part of this. Thanks Otto. On Jun 22, 2015, at 12:22 PM, Sixten Otto wrote: > Using client-side certificates in TLS is pretty standard stuff, and should > be well-supported by the system. You might start here: > https://developer.apple.com/library/ios/documentation/Cocoa/Conceptual/URLLoadingSystem/Articles/AuthenticationChallenges.html > > The biggest issue with something like this, or any scheme where you're > trusting the client based on information that was packaged in the app, is > that the app necessarily contains the information some bad actor would need > to have to build a malicious client that you probably don't want to trust. > (Same with things like encryption keys, API keys, shared passwords, and so > on.) On the other hand, maybe that isn't the kind of risk you're trying to > mitigate. > > Can you say anything more about what kind of app/service this is, and what > sorts of threats you're trying to protect against? > > Do you have any way of knowing who the valid users should be ahead of time, > or communicating with them outside of the app? > > Sixten > > > On Mon, Jun 22, 2015 at 6:43 AM, Alex Zavatone <[email protected]> wrote: > >> We're all familiar with using a SSL cert to get a client to trust a >> server, but we're looking at is getting a server to trust that a trusted >> client is allowed to access it. >> >> I was thinking of embedding an SSL cert within the iOS app and validating >> against that, but I'm sort of lost on a way to start. >> >> If this approach seems valid, do any of you have any ideas on any sites >> where I could start reading up on this? >> >> If this approach doesn't seem valid, do any of you have any suggestions on >> what might be a better approach? >> >> Thanks much in advance, >> >> Alex Zavatone >> _______________________________________________ >> >> Cocoa-dev mailing list ([email protected]) >> >> Please do not post admin requests or moderator comments to the list. >> Contact the moderators at cocoa-dev-admins(at)lists.apple.com >> >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/cocoa-dev/himself%40sfko.com >> >> This email sent to [email protected] > _______________________________________________ > > Cocoa-dev mailing list ([email protected]) > > Please do not post admin requests or moderator comments to the list. > Contact the moderators at cocoa-dev-admins(at)lists.apple.com > > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/cocoa-dev/zav%40mac.com > > This email sent to [email protected] _______________________________________________ Cocoa-dev mailing list ([email protected]) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [email protected]
