• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Encryption and Security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encryption and Security

  • Subject: Re: Encryption and Security
  • From: Peter N Lewis <email@hidden>
  • Date: Fri, 9 Jan 2009 09:44:14 +0900
At 17:54 +0000 8/1/09, Matt Keyes wrote:
I am working on an iPhone app that communicates with a .NET SOAP web service. I have the SOAP client down, but now I need to think about the security. The .NET web service ultimately will be validating the Windows login as part of the communication process, and I am trying to think how best to handle this on the iPhone. My thoughts are that maybe using SSL would be good or encrypting part of the data in the transmission (we tend to use Rijndael in most of our apps).

I am relatively new to Cocoa, however, and I would appreciate some pointers. I know the CryptoSample project exists out there, but I am not clear as to what is possible on the iPhone. Can I use SSL? If not, could I use Rijndael or some other common encryption method? If so (for any of this), can anyone point me to a sample. 

Several comments:

* Authentication = verifying the person is who they claim to be. This is distinct from data privacy/integrity protection for which data encryption is useful.

* If you use any non-system encryption for purposes other that just authentication then you'll need to sort out the US Export approval drivel. Presumably SSL does not require this. You can use anything you want for the authentication.

* If you use SSL, the server must have a real properly trusted certificate as the iPhone has no way to disable this requirement - this killed the system SSL for me as the server is a desktop application. Presumably you could include openssl yourself, although you might then have to go through the US export encryption stuff.

* Try to avoid storing clear text passwords on the iPhone as your preference files can be read off if the phone is stolen and people tend to reuse passwords.

* For password hashing, MD5 is easy, but relatively weak. SHA-1 is stronger.

* If you do want a non-system encryption, Blowfish is a few hundred lines of public domain code, so its an easy solution.

Enjoy,
   Peter.

--
              Keyboard Maestro 3 Now Available!
   Now run macros from your iPhone with Keyboard Maestro Control!

Keyboard Maestro <http://www.keyboardmaestro.com/> Macros for your Mac
<http://www.stairways.com/>           <http://download.stairways.com/>
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: Encryption and Security

      • From: Andrew Farmer <email@hidden>
      • 





References: 


 >Encryption and Security (From: Matt Keyes <email@hidden>)






    

  • Prev by Date:
Re: What's the most cocoa-ey pattern for this?

    • 

  • Next by Date:
Re: Best way to handle this

    • 

  • Previous by thread:
Re: Encryption and Security

    • 

  • Next by thread:
Re: Encryption and Security

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •