iOS Login Security concerning Online Access to a Database Server

[mathfantasia]

I did some searches of Macrumors and didn't find what I was looking for. So here's my problem:

I've had some experience in coding with 6 or so apps on the Mac and iOS stores, but from what I know this is a tough subject. I am looking for a good tutorial about login security and how an iOS app can use a login/pw combo to connect to my online server, send my server data, and have that data stored for future use. I have had different people say different things. "Oh just look up such-and-such security algorithm and do it yourself." to "Bad security can lead to stolen passwords / accounts not just on your server but on the user's other online logins also. Do NOT try it by yourself."

I am storing achievement data for an educational quiz / game type site. The data is not critical, but it would be nice if nothing too bad happened.

Thanks, Macrumors!

 

[Mascots]

I'm going to say there isn't a single right way, but there are definitely wrong ways.

Personally, I'd go SSL/TLS route to wrap a rest API since that is relatively straight forward, I've had success with that in the past, there are good amounts of information, high quality documentation, and nice feature set available to your disposal.

 

[AxoNeuron]

The best way is to combine multiple approaches. It's actually really easy and simple to make a highly secure login system, I would never tell people they shouldn't do it themselves. Most of it is just common sense. Make it so that even if the hacker gains complete access to your database, they still can't get any passwords.

Definitely use HTTPS/TLS for app to server communication.

I never, ever store actual passwords in the server database. I use the SCrypt npm package to store hashed representations of their passwords. It's very easy and only adds a few extra lines of code. I also use SHA-256 hashing client side. That way, the server never actually knows what the real password is, so even if the server gets hacked the passwords are totally secure.

I also have my servers generate temporary access keys, and this is what the app uses to communicate with my app server. Every time it makes a request, it sends its access key. It's a rolling system, so a new access key gets generated every time a request is made, and old access keys expire when a newer one is used.

 

[762999]

I did some searches of Macrumors and didn't find what I was looking for.

easy answer: CLOUDKIT

official doc:
https://developer.apple.com/icloud/

Keep your apps connected and up to date across iOS, OS X, and now on the web with CloudKit JS. With free public storage up to 1PB, it's never been easier to build and grow your apps using CloudKit.

tutorial:
https://www.raywenderlich.com/83116/beginning-cloudkit-tutorial

 

[AxoNeuron]

For even more security, in addition to using HTTPS/TLS, you can also add additional encryption of the actual JSON sent between your app and the server. I've never actually worked on an app that required such a level of security, but I am planning to in the next few weeks and I'll be combining every trick in the books.
[doublepost=1462790395][/doublepost]

easy answer: CLOUDKIT

official doc:
https://developer.apple.com/icloud/

Keep your apps connected and up to date across iOS, OS X, and now on the web with CloudKit JS. With free public storage up to 1PB, it's never been easier to build and grow your apps using CloudKit.

tutorial:
https://www.raywenderlich.com/83116/beginning-cloudkit-tutorial

I really, really hate CloudKit. It's so locked down.

JavaScript & Node.js are so easy to learn these days that you really can build your own platform server to do everything you want, quite easily without all the silly restrictions of iCloud.

 

[762999]

For even more security, in addition to using HTTPS/TLS, you can also add additional encryption of the actual JSON sent between your app and the server. I've never actually worked on an app that required such a level of security, but I am planning to in the next few weeks and I'll be combining every trick in the books.
[doublepost=1462790395][/doublepost]
I really, really hate CloudKit. It's so locked down.

I'm not against home made solution but I'm sure CloudKit can handle Quiz/Puzzle data. It's all about choice.