Protecting Data Feed for iPhone App

Question

I am creating an App that pulls data from a file on my server. That file gets data from my database, based on GET values that are passed through the URL.

I would like to keep this feed closed - that is, I don't want people finding the datasource and reading the data on their own. I considered sending an alphanumeric id along with the url string, but if they can find the URL that I am calling, then there won't be anything preventing them from grabbing that alphanumeric id also.

I am looking for any ideas or experiences that might help me here.

Answer 1

You could use HTTPS, that will prevent casual observation of the data transfer, although it won't protect it completely.

You could also require that the user login to retrieve the feed, it would be relatively easy to side-step a user registration process by using the device's UDID as the account value, then just asking the user for a password.... this method could still be abused by a malicious individual, but once you introduce user accounts you can throttle the requests.

You can also use a guid or hash in the url string to prevent a casual observer from just iterating through all possible values to scrape your database.

Answer 2

There really isn't any way to prevent people from reading your feed. You can put in obfuscation, but the fundamental problem is that anyone can download the app and examine it to find out any secret that you use to hide the data.

However, something that would hide it from the casual observer would be to store a key in the code segment of your app and then (over a TLS link), pass that key to the server, which would then grant access.