Secure Transaction between Mobile app and LAMP

Question

I have a Mobile App (iPhone and Android) which allows user to login to his account, change prefs etc...

I want to add a new feature where the user can buy products through his device or upgrade his service. Everything will run from the device and I want to make each transactions the user make it syncs to the web server.

I have HTTPS setup on my server. I would like to know if:

1. It is a good practice? or should I simply tell the user to use our website
2. If "yes", is HTTPS alone good to process these transactions?

Thanks

Answer 1

yes it's a good practice.

first of all ALWAYS use HTTPS.

make sure your certificate is valid and trusted.

for iphone:

• iPhone: HTTPS client cert authentication
• https://discussions.apple.com/thread/1652697?start=0&tstart=0

for android:

• Trusting all certificates using HttpClient over HTTPS
• Accepting a certificate for HTTPs on Android

second encrypt your data.

any encryption algorithm or rsa encryption will do the trick.

passing data using GET/POST should not be sent in plain text like: ?user=myuser&pass=mypass. instead use something like ?h28JduDak30fT1pfgmSnShNms762023lflsfdj2h4J. then on your server you simply have to decrypt it using a salt only your phone and the server knows.

example code for iphone:

NSString *encrypteddata =[NSString stringWithFormat:@"key=enryptedstring"];
NSData *data = [encrypteddata dataUsingEncoding:NSUTF8StringEncoding allowLossyConversion:YES];
NSString *datalen = [NSString stringWithFormat:@"%d", [data length]];
NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease];
[request setURL:[NSURL URLWithString:@"https://yourserver:443/loginscript"]]; //:443 very importantz
[request setHTTPMethod:@"POST"];
[request setValue:datalen forHTTPHeaderField:@"Content-Length"];
[request setValue:@"application/x-www-form-urlencoded charset=utf-8" forHTTPHeaderField:@"Content-Type"];
[request setHTTPBody:data];

similar idea for android

then on your server you can decrypt $_POST['key'] and do your login logic (or others)

here's more resource that will help you:

• iPhone + sending data from iPhone to server as XML format
• iPhone: HTTPS client cert authentication

note: for android you shoud take a look at the HTTPComponents

read more

• http://www.javamex.com/tutorials/cryptography/rsa_encryption.shtml
• http://www.edumobile.org/iphone/iphone-programming-tutorials/how-to-receive-data-from-the-server-in-iphone/