At 17:54 +0000 8/1/09, Matt Keyes wrote:
I am working on an iPhone app that communicates with a .NET SOAP web
service. I have the SOAP client down, but now I need to think about
the security. The .NET web service ultimately will be validating
the Windows login as part of the communication process, and I am
trying to think how best to handle this on the iPhone. My thoughts
are that maybe using SSL would be good or encrypting part of the
data in the transmission (we tend to use Rijndael in most of our
apps).
I am relatively new to Cocoa, however, and I would appreciate some
pointers. I know the CryptoSample project exists out there, but I
am not clear as to what is possible on the iPhone. Can I use SSL?
If not, could I use Rijndael or some other common encryption method?
If so (for any of this), can anyone point me to a sample.
Several comments:
* Authentication = verifying the person is who they claim to be.
This is distinct from data privacy/integrity protection for which
data encryption is useful.
* If you use any non-system encryption for purposes other that just
authentication then you'll need to sort out the US Export approval
drivel. Presumably SSL does not require this. You can use anything
you want for the authentication.
* If you use SSL, the server must have a real properly trusted
certificate as the iPhone has no way to disable this requirement -
this killed the system SSL for me as the server is a desktop
application. Presumably you could include openssl yourself, although
you might then have to go through the US export encryption stuff.
* Try to avoid storing clear text passwords on the iPhone as your
preference files can be read off if the phone is stolen and people
tend to reuse passwords.
* For password hashing, MD5 is easy, but relatively weak. SHA-1 is stronger.
* If you do want a non-system encryption, Blowfish is a few hundred
lines of public domain code, so its an easy solution.
Enjoy,
Peter.
--
Keyboard Maestro 3 Now Available!
Now run macros from your iPhone with Keyboard Maestro Control!
Keyboard Maestro <http://www.keyboardmaestro.com/> Macros for your Mac
<http://www.stairways.com/> <http://download.stairways.com/>
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
