3

I have an iOS app that uses a web service to get data from my server. It grabs the data and echoes a JSON feed to the web page, and the iOS app interprets it. I have SSL so I am not worried about the data not being secure in transit.

My problem is that anybody can access the web service page and read the JSON data. It would not be hard for someone to build a program that interprets this data and the data includes sensitive user information.

I want to know how I can either make sure people can't just type in the URL and view the data, or some way to encrypt the JSON feed that prints out securely so that you need the keys to read it.

user3762780
  • 33
  • 1
  • 3
  • 1
    Usually you can limit access via API keys. It means you'll have to get into key management, but that's what you're after. You could also authenticate access to the service and just require that they've registered. At which point the service will require a session id token to elicit a response. This gets a bit more complicated, as then you'll have to manage token lifetimes, etc. If it's just your app doing it, why just use SSL using a specific application certificate? Then someone would need the cert in order to even open a connection. – Nate Diamond Feb 25 '16 at 22:22
  • Could you elaborate a little on the last idea you had? I am not sure what you mean by using SSL with a specific app certificate. How would this work? – user3762780 Feb 25 '16 at 22:38
  • Check [this](http://security.stackexchange.com/questions/37897/possible-to-limit-server-connections-to-clients-with-a-specific-certificate) out. – Nate Diamond Feb 25 '16 at 23:09

2 Answers2

4

It simply sounds like you need to add authentication to the web service.

From your description it appears that the request goes like follows:

App --> Web site --> Web service

If users have to register for your service, then when they log into the app it should authenticate with the web service and retrieve an authentication token. Ensure that the web service authenticates and authorises the user before any date is returned.

App [Auth Token] --> Web site [Auth Token] --> Web service [Auth token]

Then if anyone goes to the web service endpoint directly, they won't retrieve any data as they won't have a valid auth token.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
3

One Big Problem:

Allowing anyone access to your data without authorization, especially sensitive data is a HUGE no-no!

That being said if the only way to access this server is with an application, then the easiest thing to do is to use an application specific SSL certificate that unless the request uses that certificate, nothing will happen at all.

The only downside to this is that it will only be accessable to your application. If you want to go about it another way you can do some other options:

  • VPN. Unless you're in this VPN, you can't access the server because you can't see it.

  • API Keys with permissions and limiting(most common practice)

  • States and cookies(common practice), that can also be user stored, time out, and be encrypted safely(also common practice)

Robert Mennell
  • 6,978
  • 1
  • 14
  • 38