stackoom
  简体   繁体   中英

How do I only allow access to my MySQL database from my iOS app? (Using webapp as gateway to db)

 原文  2013-08-23 04:44:46       php/ mysql/ ios/ security

Question

My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.

My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.

Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?

Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.

The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.

1 answers

solution1
 6 ACCPTED  2013-08-23 05:35:25

As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.

Https

As you point out, this is an important part , as it prevents sniffing.

Sessions

Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).

Fingerprint

Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )

Obfuscate requests

Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2

Encrypt

This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.

Use unique shared secret

You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do i upload data from my ios app into my sql database? How do I allow post requests from my pages only? How do i access my database from Spotify apps How do I allow multiple users to use my web app & database? How can I allow only HTML into my database? How do I connect my Laravel 5 app to mysql using MAMP? How do I get the information from my form to insert into a mySQL database using XAMPP? How do I print a selected list item from my MySQL database using php? How can I access my database mysql server using my local ip address instead of using localhost Using PHP, within a search, how do I contain an html link in an image from my MySql database?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM