Secure Transaction between Mobile app and LAMP
-
20-02-2021 - |
Question
I have a Mobile App (iPhone and Android) which allows user to login to his account, change prefs etc...
I want to add a new feature where the user can buy products through his device or upgrade his service. Everything will run from the device and I want to make each transactions the user make it syncs to the web server.
I have HTTPS setup on my server. I would like to know if:
- It is a good practice? or should I simply tell the user to use our website
- If "yes", is HTTPS alone good to process these transactions?
Thanks
Solution
yes it's a good practice.
first of all ALWAYS use HTTPS.
make sure your certificate is valid and trusted.
for iphone:
- iPhone: HTTPS client cert authentication
- https://discussions.apple.com/thread/1652697?start=0&tstart=0
for android:
second encrypt your data.
any encryption algorithm or rsa encryption will do the trick.
passing data using GET/POST should not be sent in plain text like: ?user=myuser&pass=mypass. instead use something like ?h28JduDak30fT1pfgmSnShNms762023lflsfdj2h4J. then on your server you simply have to decrypt it using a salt only your phone and the server knows.
example code for iphone:
NSString *encrypteddata =[NSString stringWithFormat:@"key=enryptedstring"];
NSData *data = [encrypteddata dataUsingEncoding:NSUTF8StringEncoding allowLossyConversion:YES];
NSString *datalen = [NSString stringWithFormat:@"%d", [data length]];
NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease];
[request setURL:[NSURL URLWithString:@"https://yourserver:443/loginscript"]]; //:443 very importantz
[request setHTTPMethod:@"POST"];
[request setValue:datalen forHTTPHeaderField:@"Content-Length"];
[request setValue:@"application/x-www-form-urlencoded charset=utf-8" forHTTPHeaderField:@"Content-Type"];
[request setHTTPBody:data];
similar idea for android
then on your server you can decrypt $_POST['key'] and do your login logic (or others)
here's more resource that will help you:
note: for android you shoud take a look at the HTTPComponents
read more