Hey everyone,
I’m building an iOS app with a Rails backend and I’m a bit worried about security. I want to make sure only my app can talk to the server. Not looking to stop piracy, just want to avoid automated attacks that could mess things up.
Here’s what I’m thinking:
- Use the device’s UDID
- Mix it with a secret key
- Send this combo over HTTPS
This should let me create authenticated sessions without user accounts. Keeps things simple for users.
But I’m not sure if this is enough. Could someone grab the hash and use it again? Is HTTPS enough to stop eavesdropping?
Any advice would be awesome. Thanks!
hmm, interesting approach! have u considered using apple’s app attest api? it could help verify ur app’s authenticity. also, what about implementing some kinda token-based auth system? that might be more secure than just using device IDs. curious to hear what others think about this too. how often do u plan on rotating ur secret keys?
yo, have u thought bout using a challenge-response system? it’s pretty solid. basically, ur server sends a random challenge, the app signs it with a private key, and sends it back. makes it way harder for hackers to fake. plus, u could add some device fingerprinting to make it even tougher. just my 2 cents!
While your approach is a good starting point, there are a few considerations to keep in mind. Using the device UDID is problematic as Apple has deprecated access to it for privacy reasons. Instead, consider using a combination of DeviceCheck and App Attest APIs provided by Apple. These allow you to verify device integrity and app authenticity without compromising user privacy.
HTTPS is essential but not foolproof. Implement certificate pinning to prevent man-in-the-middle attacks. Also, use a robust API key management system and rotate keys regularly.
For added security, implement rate limiting on your server to prevent brute force attacks. Consider using OAuth 2.0 for a more standardized authentication flow, even without user accounts.
Remember, security is an ongoing process. Regularly update and patch your server and app, and stay informed about the latest security best practices in mobile app development.