2

I am not sure how to address the question properly, but I know I am confused here. I do not meant you to code nor give scripts for me, all I am asking is guidance.

I have setup an API (framework built in PHP) to serve resources for apps, mainly iOS and Android. I have also read implementations about Amazon REST API, Facebook oAuth, Twitter xAuth, etc. My concern is regarding authentication (encryption probably) from the view point of the app.

So initially, the user will download the app then install it. The very first thing the user will see in the app is a login page: username and password. User fills it up then submits. That's where my problem is. I am concerned of how the app will pass the username and password to the API. Of course, the credentials must be encrypted so I can decrypt it on the server, but I am confused of the specific process.

I am not a mobile developer so maybe that is the reason why I know nothing of the process. Please enlighten me.

EDIT:

The username and password on the login is not the credentials to be use to access the API but rather the credentials for his account so the API knows if the user is a valid one then return details for its profile.

Improve this question
3
  • In most of our apps we are using SHA1 and MD5 on server and client side. So basically if you do some encryption on server side which uses SHA1, MD5 and string concatenation it should work for you. At least that's the way I am using this in all apps which I've done for android and ios. Commented Feb 14, 2013 at 8:46
  • Ok, because on the server side user passwords are hashed using crypt(), does Android & iOS has similar? Commented Feb 14, 2013 at 8:51
  • You can hash your passwords in Android and IOS using AES / DES Encryption/Decryption as I'm familiar, but to make the things work you need to take a look carefully how it's done in the server side, like setting paddings and the right encryption method, so you can make the right things in the mobile app. You need a lot of testings in both ways. Commented Feb 14, 2013 at 8:57

4 Answers 4

Reset to default
1

It depends on your need of safety of course, a bank handling money transfers will go to much further extends to provide safety , but in general the following should at least give your API safety from anyone who isn't going to put hundreds of hours into it or is a pro hacker;

First of all you can communicate through https which requires pretty much no effort from you. Secondly you can hash the password with a hash and salt (random bunch of chars before and/or after it, include the salt before hashing) which only you and your API know. You do not de-crypt it - There is no reason for you to know someone's password, even as admin. Actually you can't even decrypt it if you use some of the standard things like MD5 or SHA1. You can simply compare the hashed+salted value to know if someone is allowed to logg in.

I guess you can do the same with the username, but not necessary.

Again: This is no full proof anti-hacker and safety method, but it will provide for most API's needs of safety.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Aside from rolling your own authentication, you might want to leverage on other login providers like Facebook and Twitter. This would require you to set up app configurations in those providers, to redirect back to your app. https://softwareengineering.stackexchange.com/questions/78587/facebook-and-twitter-authentication-from-mobile-applications

I also found this page on basic guidelines on authentication in REST - http://www.infoq.com/news/2010/01/rest-api-authentication-schemes

Improve this answer

2 Comments

I wish but I can't. Corpo issues.
Even if you use HTTP for authentication (and you should), this article has some really good points about also signing requests with a hash of the API key.
0

A lot of applications use HTTP authentication for API use - HTTP basic is just what it says, very basic and not very secure. Better is to use http-auth which safely makes use of the username and password to secure communications.

Basically you just need to configure whatever server you have to use http-auth for API calls, and make sure it knows about your accounts.

On the iOS side use a library like AFNetworking to handle communications with the server, you can pass the library a username/password to use for authenticating calls.

I would also recommend storing the username/password in the application keychain so the user does not have to type it in every time.

Improve this answer

3 Comments

Does it mean the username and password the user inputs on the login will be safe in the header? Because that username and password is not to access the API but to validate and logged in to his account.
The username and password do get get set in the header in HTTP-AUTH (they do in HTTP-BASIC). Instead there is a credential challenge and you are given back a token that gets used in future requests. The URL frameworks all handle this for you, to some extent (AFNetworking does more than NSURLConnection alone)
Also do not forget the whole POINT of REST is leveraging the existing HTTP framework to do all the hard work - HTTP authentication is a well understood thing that works with routers everywhere and is quite secure.
0

As others say, you can hash the password using a hashing algorithm, like MD5. Note this is NOT encryption, it's hashing. There is no need for you to send the plaintext password to the server (or to store it, you store the hash). You did not say how and where the user can create their account, but you need to make sure the algorithm you use to create a password hash is the same.

Improve this answer

1 Comment

Users register on the website (not via app). The username and password they created on the website can be use to login to the app.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.