0

I have an iPhone app written with Swift. The app connects to my server to get data (get_data.php) based on some selections that an user select within the app.

The user doesn't have to sign up or anything.

Other apps are able to use my get_data.php by connecting to that php file, how do I prevent them from doing that?

Synchro
  • 29,823
  • 14
  • 69
  • 85
Julia
  • 845
  • 3
  • 22
  • 35

1 Answers1

0

This is possible, but is a bit hazardous, and I would not recommend doing it for anything at all sensitive.

A good example of not requiring signups is mailinator.com, which relies on randomness instead. When you use the site, you can pick an "unguessable" name to use as an email address, such as lbpxlm4ChXVH6Utv9jUvxR0kB2nNHA@mailinator.com, and you can simply use it as you like. Bear in mind though that this relies on luck: there is nothing whatsoever preventing anyone else accessing the account beyond not being able to guess the string you use. For example log in using an easily guessed name like Julia, and you'll see someone else's email!

While it's nice to be able to do this, note that it relies on the user remembering their login string accurately too – there isn't really a viable way of doing the equivalent of a password reset.

This is also not too far from what is referred to as "magic links" for logins, which is an alternative to id and password.

None of this is specific to Swift – you could implement this in any language.

Synchro
  • 29,823
  • 14
  • 69
  • 85
  • thanks, the problem I'm having is I found people are able to decompiled my source code and look into my file. The get_data.php is actually hidden somewhere in the server and not available to the public. The only time that I use this file is in the app, I had something like get_data.php?code=2asiodfya8932,hard coded in the app as a string, but it seems someone steal my code and he is connecting to my server using that secret file I created for myself. Every time I made a change to that file, it is reflected on that guy's app. – Julia Jul 13 '20 at 17:07
  • This is why you should avoid storing secrets in your app source. Generate a random user identifier that you save locally, and pass that in requests to the server. This way there is no path that can be discovered in the source code, and if identifiers are sufficiently random, knowing one does not help you find another. In reference to your example, having the `get_data.php` URL revealed isn't a problem because you make it do nothing if it's not accompanied by a valid identifier. – Synchro Jul 13 '20 at 17:12
  • But if that guy is able to get decode my source code and see what I'm doing, his app will also be able to generate a random user identifier from his app and my server wouldn't be able to differentiate his app from my app. – Julia Jul 13 '20 at 17:14
  • That's a different problem better handled by things like [certificate pinning](https://medium.com/better-programming/how-to-implement-ssl-pinning-in-swift-7c4e8f6ee821) so that valid clients can sign their requests. [This question](https://stackoverflow.com/questions/29760216/in-ios-how-can-i-store-a-secret-key-that-will-allow-me-to-communicate-with-my) has some other good suggestions. – Synchro Jul 13 '20 at 17:20
  • From that topic, it seems it is impossible to develop a solution that can counter this situation. – Julia Jul 13 '20 at 17:25
  • It is certainly difficult. This is getting away from what you originally asked, but you have dug your own hole to an extent by not requiring authentication. There's more discussion of this subject [here](https://stackoverflow.com/a/48590939/333340). – Synchro Jul 13 '20 at 18:33
  • Yah, I want the user to get the data as quickly as there is really no need to login. I didn't even know it was possible to decompile my app. Is that possible to contact Apple and try to have them remove the other app since I have proof that they are scraping my site. – Julia Jul 13 '20 at 18:38
  • What's the best way to use authentication? Wouldn't the other app be able to do the same too? – Julia Jul 13 '20 at 19:46
  • Yes if you don't have user authentication. OAuth authenticates the app and the user separately, so embedded credentials are insufficient to do anything. This is really too big a topic for an SO question, but many pieces of it are discussed extensively if you do a bit of searching; I recommend reading more comprehensive articles about app authentication before asking more focused questions here. – Synchro Jul 13 '20 at 19:51