How do I make PHP and IOS Iphone talk together with encryption?

Im looking what is the good way to make talk an iphone apps with a php server, with encryption. In fact, I also have an android app that want also to talk to this php server, with encryption.

Which solution can i use that would work both on ipho开发者_JAVA百科ne, android, and php ?

I have been looking for openssl but on android its quite impossible.

I am wondering about crypto lib... anybody know something or have an idea ?

thanks.

But what if you dont want to use SSL ?

Ok, so will try now to explain better what we want to protect. We have a software both on android and iphone that is using some webservices of our php server. We dont want anybody else to use our web services. We could use SSL to talk between softwares and php server but for example, on android it is very easy to unassemble an android software and then access to the good code... So we are looking to find how we can procted better the software like encryption of the talks.. or any other idea...

Just run the connection over SSL.

On the iPhone, I prefer using ASIHTTPRequest as it handles some of the more esoteric modes easily.

On Android, see this previous SO thread

UPDATE;

Reasons for not re-inventing the wheel include

• SSL is industry tried and tested, why try to do anything else? It's built right in to the devices you want to use, it works and is basically PERFECT for encrypting the traffic from a mobile device to a back end server. Unless you are working for a foreign government, I really can't see any valid case for avoiding the tried, tested, 'it just works' SSL.

• You are probably not a cryptography expert. It's amazingly simple to really mess this sort of thing up by rolling your own solution, even if that involves some other standard components. You are more likely to make it ridiculously easy to crack than making it 'better' than SSL.

• Export Compliance Headaches - once you start using encryption that isn't standard, you will have to register with the US Government for cryptographic export. You technically have to do that even if you are using SSL, but using something non-standard you will suddenly find you can't use any of the exemptions from stricter export licensing and your admin headaches will multiply.

What you're asking for is a form of DRM, and fundamentally impossible. You want to put your code on user devices, but not let them examine it or execute it except in an approved fashion. Since they physically own the device, you can't prevent them from disassembling your code, examining the communications, or just about anything else. The best you can do is obfuscation: embed a secret key in the code, make it hard to extract, and HMAC all your communications with that key.

A better approach would be to examine the user's incentives - why do they want to use your APIs outside your app - and build your API and/or business model such that people going out of their way to use it is a good thing, not a bad thing.

OK in the light of the new information, I'll answer this again.

What you are describing is access control. That has little to do with encryption apart from it being sensible to communicate user credentials over SSL ;-)

Essentially you need to verify that a given device (user) has access to your server. You could do worse than look at how Amazon implement this for their AWS web services where you generate a signature / token that travels along with each request. The token contains hashed (not encrypted - there is a big difference that you need to understand) details pertaining to the user (device) making the request, the request itself and additionally it is time limited - so you can generate tokens that are only valid for a short period of time.

To establish the validity of a user/device in the first place to access the service, you would probably want some sort of email or SMS based sign up procedure that enables your server to verify that the requesting party is authorised to make future requests.