Authenticate communication to backend from iOS

I have a backend that handles requests to a database. My apps do not talk directly to the database for security reasons.

How would I make sure that only my apps talk to the backend on my server? I do not want other people querying my backend and try to access data. I only want my apps, that I build, to talk to it开发者_运维问答. Do I add something like Oauth or use certs?

What is the best way for iOS apps (or any apps in general) do talk to a backend?

You're asking how an application installed on an iOS device can authenticate itself against your server.

How do you identify your users?

If you can identify your users, the program could on the first start connect to your server, provide username/pass and get "secret" token. With this token, it can access the backend. You can store that token or not.

If you provide any kind of key in your app, it will be identical to every installation and easy to fetch from the app.

In Applicasa every app has its "space" So only your apps talk to the DB (each one to its own space) www.applicasa.com

You can use an authorization mechanism such as OAuth. Or you can build your own. It can be as simple as having a secret token/key. And you can keep it just as simple or you can start making it more complex (i.e. generating hashes with the token and the parameters in order to not send the token itself but a hash calculated with the token and the request parameters, etc).

However there is no way to keep the api tokens secret. Because an attacker can decompile your app, introspect the code and find your api key. You could check some http headers but faking the request headers is super simple. So you cannot guarantee that the requests are made from the iOS device.

It would be great if Apple provided a way to store something during the installation process that is signed with your developer certificate or something like that so you can keep something actually secret you can trust in the iOS device. But in the end someone would just sniff the network traffic to crack your authorization system.

So you can do things very complex but you cannot guarantee that the requests are always made from your device.