Preventing PHP scripts used in a iPhone app from being accessed via web browser
Hi All,
I've hit a security hole in my app that I can not get out off.
Basically, I am using this method to pass parameters to a php script which returns values from a server:
Code:
NSString *urlstr = [[NSString alloc] initWithFormat:@"http://www.yourserver.com/yourphp.php?param=%d", paramVal];
NSURL *url = [[NSURL alloc] initWithString:urlstr];
NSString *ans = [NSString stringWithContentsOfURL:url];
// here in ans you'll have what the PHP side returned. Do whatever you want
[urlstr release];
[url release];
I then pose the question. How do you secure 'http://www.yourserver.com/yourphp.php' ? You can easily navigate to the same script (if you know the path) and pass in any parameters that you want. Am I missing something?
I'm totally a beginner here so go easy on me! Any code snippets or suggestions that can be thrown my way would be greatly appreciated. Thanks!
Last edited by blamethatkid; 04-10-2009 at 08:54 PM.
I suppose you could detect the client on the php side and not do anything unless it's an iphone. I'm not sure what the the iphone looks like as a client thought.
I suppose you could detect the client on the php side and not do anything unless it's an iphone. I'm not sure what the the iphone looks like as a client thought.
yeah I guess the only problem there is that the client can be spoofed.
I'm totally a beginner here so go easy on me! Any code snippets or suggestions that can be thrown my way would be greatly appreciated. Thanks!
You can't protect yourself against this purely on the server side. A client can be faked very easily so just checking what device type the callee uses is not enough. Here are some possible solutions:
Let the user provide a username and password
Encrypt the data to a from the server
Use a computed 'checksum' that the device must send with the user
The first two is the best and ortodox solutions, the third is a bit easier to implement.
Let's say the client sends three data to the server: a, b and c. Then add an extra parameter: d.
Calculate d in a way only you now, like d = 543*b/a-c, then the server easily can validate that the data is from your application.
Good keyword to search for in programming forums: "checksum", "MD5" and "CRC32"
my app doesn't work on a user name + password system.
The app just calls a script that populates a table on my app. Users are asked to put in their email at some point when they make an entry on the table.
The main problem is that someone clever could figure out the script being called and recall all the email addresses stored on the server. setting up a username + password system is not conducive to the way the app would work because the users will never have to recall their entry.
Unless the SDK supports the use of client certificates when accessing URLs then your best bet would be to follow Joche's advice and implement a non trivial checksum value in addition to maybe encoding the values client side before passing them to the PHP script (which would obviously decode + verify checksum value)
the iPhone App iMobsters uses a user Id and phone Id passed somehow. You might want to look into how they are doing it. If you try and access it via Safari, even spoofed as an iPhone, it won't work. Here's an example:
Hi All,
I've hit a security hole in my app that I can not get out off.
Basically, I am using this method to pass parameters to a php script which returns values from a server:
Code:
NSString *urlstr = [[NSString alloc] initWithFormat:@"http://www.yourserver.com/yourphp.php?param=%d", paramVal];
NSURL *url = [[NSURL alloc] initWithString:urlstr];
NSString *ans = [NSString stringWithContentsOfURL:url];
// here in ans you'll have what the PHP side returned. Do whatever you want
[urlstr release];
[url release];
I then pose the question. How do you secure 'http://www.yourserver.com/yourphp.php' ? You can easily navigate to the same script (if you know the path) and pass in any parameters that you want. Am I missing something?
I'm totally a beginner here so go easy on me! Any code snippets or suggestions that can be thrown my way would be greatly appreciated. Thanks!
The app just calls a script that populates a table on my app. Users are asked to put in their email at some point when they make an entry on the table.
The main problem is that someone clever could figure out the script being called and recall all the email addresses stored on the server.
It wouldn't even take somebody clever.
This isn't an "iPhone" problem, and you're on the wrong forum. You need to learn PHP 101, and go to a PHP forum.
But, then again, it isn't even a PHP problem. It's a basic web services security issue, that transcends any given language or platform. You need to learn about HTTP authentication and SSL. (There are other approaches, but it would take a good understanding of computer security.) You don't need code snippets. You first need to understand some of the basics of computer security, authentication and encryption. And before you even look into that, you need to get a basic understanding of the societal and legal issues. You at least seem to have an inkling about that, as you do seem troubled by your current approach.
Your security is no security, and asking people to store their email addresses in such an insecure manner is just plain irresponsible. I hope your app has not yet been released.
I'll give one more bit of advice - you've mis-stated your problem. It is NOT "preventing somebody from accessing the data from a web browser". It's "preventing unauthorized access to the data". I hope that's helpful, because before you can solve the problem, first you need to understand just what the problem is.
Perhaps you should channel your efforts initially into an app that has less potential for damage. Sorry for ripping you a new one for being a newbie - but there are some thing that newbies probably shouldn't be dabbling in just yet.
This isn't an "iPhone" problem, and you're on the wrong forum. You need to learn PHP 101, and go to a PHP forum.
But, then again, it isn't even a PHP problem. It's a basic web services security issue, that transcends any given language or platform. You need to learn about HTTP authentication and SSL. (There are other approaches, but it would take a good understanding of computer security.) You don't need code snippets. You first need to understand some of the basics of computer security, authentication and encryption. And before you even look into that, you need to get a basic understanding of the societal and legal issues. You at least seem to have an inkling about that, as you do seem troubled by your current approach.
Your security is no security, and asking people to store their email addresses in such an insecure manner is just plain irresponsible. I hope your app has not yet been released.
Perhaps you should channel your efforts initially into an app that has less potential for damage.
Wow dude did they run out of your flavor coffee at the neighborhood Starbucks this evening?
Dave (nominates this for "Rant of the Year 2009" )
This isn't an "iPhone" problem, and you're on the wrong forum. You need to learn PHP 101, and go to a PHP forum.
But, then again, it isn't even a PHP problem. It's a basic web services security issue, that transcends any given language or platform. You need to learn about HTTP authentication and SSL. (There are other approaches, but it would take a good understanding of computer security.) You don't need code snippets. You first need to understand some of the basics of computer security, authentication and encryption. And before you even look into that, you need to get a basic understanding of the societal and legal issues. You at least seem to have an inkling about that, as you do seem troubled by your current approach.
Your security is no security, and asking people to store their email addresses in such an insecure manner is just plain irresponsible. I hope your app has not yet been released.
I'll give one more bit of advice - you've mis-stated your problem. It is NOT "preventing somebody from accessing the data from a web browser". It's "preventing unauthorized access to the data". I hope that's helpful, because before you can solve the problem, first you need to understand just what the problem is.
Perhaps you should channel your efforts initially into an app that has less potential for damage. Sorry for ripping you a new one for being a newbie - but there are some thing that newbies probably shouldn't be dabbling in just yet.
Thanks for helping me ask the right questions.
Last edited by blamethatkid; 07-17-2010 at 07:37 PM.
Preventing PHP scripts used in a iPhone app from being accessed via web browser
)
Linear Mode
