app engine secret key for iphone access
https://stackoverflow.com/questions/2257649
-
20-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How can i make sure only my iphone app is allowed to use my app engine application for sending and receiving data? I probably have to use a secret key, but i don't know how. Can i just use post/get to send my static key over https? Or do i need to use some dynamic secret key algorithm?
Any help would be appreciated! Bjorn
Solution
Assuming you think you can keep the secret on the iPhone app from being discovered, what you need is an HMAC. For every request you make, pass the text of the request into a function like HMAC-SHA1, with your secret key as the key, and add the result to the request you make. When the server receives the request, perform the same operation, and verify that the HMACs match.
OTHER TIPS
I'm not totally sure what yo are trying to accomplish.
But, having shared secrets or API keys inside your iPhone app is generally a bad idea.
You are talking about your own AppEngine application. Why don't you create a simple (JSON based) web service on the AppEngine side that your app talks to? I doubt there is any need to directly use your AppEngine credentials from your iPhone app.
If this does not answer your question, please provide more details.
Use a SSL certificate on your web service as any data passed to this is encrypted.
An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, protecting private information from interception over the Internet.
Also on every call to the service send up a single guid that you have defined along with your data. This guid has to be validated before the web service performs any action. To lock down even further you can create a service that generates a guid which needs to be passed back up for any subsequent calling service.
Also make sure you don't allow anybody to see your wsdl on the server else they can guess your parameters.
A SSL ceritifcate from RapidSSL costs $17 a year so the cost is nothing to worry about.
