AFNetworking make post requests via HTTPS

Question

In my iphone app, currently I'm using AFHTTPRequestOperationManager to send post requests to my server and get data.

But I have noticed that some of my App users have hacked these post request and change the values of the post requests to increase their coins in the app.

So I want to make these whole post requests encrypted/ https (i don't even know the term). I want these post requests to not be editable by the users.

Is there a way to do this with AFNetworking? I need an example of a post request and the PHP example of reading that request. I searched google but couldn't find anything easy to understand. below is the template of HTTP request i currently use. Please give a detailed answer, I'm no expert in AFNetworking or PHP.

NSString *url = [NSString stringWithFormat:@"%@getlist-s.php", [Globals getSiteUrl]];
        AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
        manager.responseSerializer.acceptableContentTypes = [NSSet setWithObject:@"text/plain"];

        NSDictionary *params = @{@"user_id": [Globals loggedInUser].Id,
                                 @"action": @"get_list",
                                 @"offset": [NSString stringWithFormat:@"%d", offset]
                                 };

        [manager POST:url parameters:params success:^(AFHTTPRequestOperation *operation, id responseObject) {


        } failure:^(AFHTTPRequestOperation *operation, NSError *error) {
            NSLog(@"Error: %@ %@", error, operation.responseString);

        }];

Answer 1

You can simply reconfigure your webserver to use HTTPS instead of HTTP. This uses port 443 instead of 80 and requires an SSL Certificate. Luckily, you don't have to pay for these anymore, you can get one free via LetsEncrypt. I'd recommend switching off the HTTP endpoint so users can't continue using an older version.

You can then update your code so all endpoints are HTTPS instead of HTTP.

HTTPS encrypts not only the contents of the requests and responses but also anything in the URL after the domain name making man in the middle attacks much more difficult. That said, this isn't a foolproof approach, as a user could still MITM their own device with their own root certificate, but how they'd go about doing that is out of the scope of this answer.

Another layer of security would be to use a HMAC (Hash-Based Message Authentication Code).

The app would generate one by taking the request parameters and a shared secret and hashing them using a secure hashing algorithm and adding this on as an additional parameter to the request. The server can verify that it's correct (and the request is authentic) by taking the supplied parameters, using the same shared secret, hashing them in the exact same way and checking that the supplied HMAC and the one it has just generated are the same.

It's important to ensure that your shared secret stays a secret between the app and your server and is NEVER transmitted between the two. If you want to be clever about it, you could generate a shared secret on the fly based on certain common parameters but that could get complicated, error-prone and affect legitimate users.

It's a cat and mouse game, nothing is perfect and if someone really wants to cheat the system then they will, but this should deter most casual attackers.