Hey folks, thanks for all the advice. I thought this was going to be a showstopper, but this basic security should get the job done.
Have a great Thanksgiving, everybody. Thanks, Mark http://markphillip.com On Wed, Nov 25, 2009 at 3:20 PM, Victor Trac <[email protected]> wrote: > Amazon uses keyed-HMAC for S3 REST authentication, and you should be able > to do the same thing. Take selected elements of your request URL, > concatenate them together with a secret key embedded into your > iPhone/Android/Pre application, and send along a hash of this string using > the Authorization parameter. On the web app side, do the same calculation > using the same secret key and you should have secure, authenticated sessions > (until someone figures out your secret key). > > -- Victor > > On Nov 25, 2009, at 3:00 PM, Mark Phillip wrote: > > Hey Ryan, thanks, you definitely understood my question correctly. It > seems like that's the case on all three of these platforms. > > Erik, I was thinking of something similar, but I think simpler--having the > native app include an MD5 hash that changed each day that would be verified > by the web app. Not uncrackable, but enough of annoyance to not make it > worth the 99 cents. How would you model the "handshake"? > > > Thanks, > Mark > http://markphillip.com > > > > On Wed, Nov 25, 2009 at 2:46 PM, Erik Pearson <[email protected]>wrote: > >> Regardless of whether someone can see the URL, you could make the web >> app require a "handshake" from the native app (e.g., a valid session >> code.) This would keep out anyone trying to skirt around the fees. >> >> On Nov 25, 2:41 pm, Ryan Joy <[email protected]> wrote: >> > I may not understand your question fully, but I would find it very >> > easy to determine the source URL or data feed for any HTTP traffic >> > coming into my developer (or jail broken) iphone. Or, even easier to >> > analyze my network traffic. >> > >> > -RYAN JOY >> > http://twitter.com/atxryan >> > 512.552.2687 mobile >> > >> > On Nov 25, 2009, at 2:21 PM, Mark Phillip wrote: >> > >> > > There has been a good amount of talk lately about building web >> > > applications for mobile phones, instead of native applications ( >> http://www.quirksmode.org/blog/archives/2009/11/apple_is_not_ev.html >> > > ). Ignoring any performance, findability, or "slickness" issues, >> > > I'm curious about the commerce aspect and haven't been able to find >> > > a good answer. >> > >> > > iPhone, Android, and webOS, all have a WebView-like control that >> > > allows you to wrap an existing web page in a full-fledged native app >> > > that you could submit to their respective App Store. Is there any >> > > reason why a person wouldn't be able to charge for this app if the >> > > URL wasn't publicized? On these three platforms, would there be any >> > > way to decompile the app and figure out the source URL? >> > >> > > Thanks, >> > > Mark >> > >http://markphillip.com >> > >> > > -- >> > > Our Web site:http://www.RefreshAustin.org/ >> > >> > > You received this message because you are subscribed to the Google >> > > Groups "Refresh Austin" group. >> > >> > > [ Posting ] >> > > To post to this group, send email to [email protected] >> > > Job-related postings should followhttp://tr.im/ >> > > refreshaustinjobspolicy >> > > We do not accept job posts from recruiters. >> > >> > > [ Unsubscribe ] >> > > To unsubscribe from this group, send email to >> [email protected] >> > >> > > [ More Info ] >> > > For more options, visit this group athttp:// >> groups.google.com/group/Refresh-Austin >> >> -- >> Our Web site: http://www.RefreshAustin.org/ >> >> You received this message because you are subscribed to the Google Groups >> "Refresh Austin" group. >> >> [ Posting ] >> To post to this group, send email to [email protected] >> Job-related postings should follow http://tr.im/refreshaustinjobspolicy >> We do not accept job posts from recruiters. >> >> [ Unsubscribe ] >> To unsubscribe from this group, send email to >> [email protected] >> >> [ More Info ] >> For more options, visit this group at >> http://groups.google.com/group/Refresh-Austin >> > > > -- > Our Web site: http://www.RefreshAustin.org/ > > You received this message because you are subscribed to the Google Groups > "Refresh Austin" group. > > [ Posting ] > To post to this group, send email to [email protected] > Job-related postings should follow http://tr.im/refreshaustinjobspolicy > We do not accept job posts from recruiters. > > [ Unsubscribe ] > To unsubscribe from this group, send email to > [email protected] > > [ More Info ] > For more options, visit this group at > http://groups.google.com/group/Refresh-Austin > > > -- > Our Web site: http://www.RefreshAustin.org/ > > You received this message because you are subscribed to the Google Groups > "Refresh Austin" group. > > [ Posting ] > To post to this group, send email to [email protected] > Job-related postings should follow http://tr.im/refreshaustinjobspolicy > We do not accept job posts from recruiters. > > [ Unsubscribe ] > To unsubscribe from this group, send email to > [email protected] > > [ More Info ] > For more options, visit this group at > http://groups.google.com/group/Refresh-Austin > -- Our Web site: http://www.RefreshAustin.org/ You received this message because you are subscribed to the Google Groups "Refresh Austin" group. [ Posting ] To post to this group, send email to [email protected] Job-related postings should follow http://tr.im/refreshaustinjobspolicy We do not accept job posts from recruiters. [ Unsubscribe ] To unsubscribe from this group, send email to [email protected] [ More Info ] For more options, visit this group at http://groups.google.com/group/Refresh-Austin
