Login Security concerning Online Access to a Database Server

Discussion in 'iOS Programming' started by mathfantasia, May 8, 2016.

  1. mathfantasia macrumors member

    Joined:
    Jul 23, 2009
    #1
    I did some searches of Macrumors and didn't find what I was looking for. So here's my problem:

    I've had some experience in coding with 6 or so apps on the Mac and iOS stores, but from what I know this is a tough subject. I am looking for a good tutorial about login security and how an iOS app can use a login/pw combo to connect to my online server, send my server data, and have that data stored for future use. I have had different people say different things. "Oh just look up such-and-such security algorithm and do it yourself." to "Bad security can lead to stolen passwords / accounts not just on your server but on the user's other online logins also. Do NOT try it by yourself."

    I am storing achievement data for an educational quiz / game type site. The data is not critical, but it would be nice if nothing too bad happened.

    Thanks, Macrumors!
     
  2. Mascots macrumors 65816

    Mascots

    Joined:
    Sep 5, 2009
    #2
    I'm going to say there isn't a single right way, but there are definitely wrong ways.

    Personally, I'd go SSL/TLS route to wrap a rest API since that is relatively straight forward, I've had success with that in the past, there are good amounts of information, high quality documentation, and nice feature set available to your disposal.
     
  3. AxoNeuron, May 9, 2016
    Last edited: May 9, 2016

    AxoNeuron macrumors 65816

    AxoNeuron

    Joined:
    Apr 22, 2012
    Location:
    The Left Coast
    #3
    The best way is to combine multiple approaches. It's actually really easy and simple to make a highly secure login system, I would never tell people they shouldn't do it themselves. Most of it is just common sense. Make it so that even if the hacker gains complete access to your database, they still can't get any passwords.

    Definitely use HTTPS/TLS for app to server communication.

    I never, ever store actual passwords in the server database. I use the SCrypt npm package to store hashed representations of their passwords. It's very easy and only adds a few extra lines of code. I also use SHA-256 hashing client side. That way, the server never actually knows what the real password is, so even if the server gets hacked the passwords are totally secure.

    I also have my servers generate temporary access keys, and this is what the app uses to communicate with my app server. Every time it makes a request, it sends its access key. It's a rolling system, so a new access key gets generated every time a request is made, and old access keys expire when a newer one is used.
     
  4. slayerizer macrumors 6502a

    slayerizer

    Joined:
    Nov 9, 2012
    Location:
    Canada
    #4
  5. AxoNeuron macrumors 65816

    AxoNeuron

    Joined:
    Apr 22, 2012
    Location:
    The Left Coast
    #5
    For even more security, in addition to using HTTPS/TLS, you can also add additional encryption of the actual JSON sent between your app and the server. I've never actually worked on an app that required such a level of security, but I am planning to in the next few weeks and I'll be combining every trick in the books.
    --- Post Merged, May 9, 2016 ---
    I really, really hate CloudKit. It's so locked down.

    JavaScript & Node.js are so easy to learn these days that you really can build your own platform server to do everything you want, quite easily without all the silly restrictions of iCloud.
     
  6. slayerizer macrumors 6502a

    slayerizer

    Joined:
    Nov 9, 2012
    Location:
    Canada
    #6
    I'm not against home made solution but I'm sure CloudKit can handle Quiz/Puzzle data. It's all about choice.
     

Share This Page