开发者

What is the best way to secure a RESTful API to be accessed on an iPhone

I am looking for some suggestions on how to secure access to a RESTful API which initially be used by an iPhone application, but will have other clients in the future. The data exposed by this API must be kept secure as it may contain health information. All access will be done over HTTPS.

I was thinking that I'd like to require pre-registration of the iphones at setup and then also some type of PIN/Password on each request. So, simply knowing the password without pre-registering the phone/client won't provide access. I was thinking about somehow tying it to the iPhone identifier if that is possible, but not sure it would provide any additional security. The iPhone identifier is just another piece of information and it may not even be that secret.

So, some requirements would be开发者_C百科:

  • Use some type of pin-based solution on the iPhone, but want more security then a simple 4-6 digit pin can provide.
  • No passwords could be sent in the clear.
  • Not be subject to reply attacks
  • Having to pre-exchange some data between client and server when setting up client is OK.


I would think that, if the application contains medical records, you would want to have the user authenticate every time they use the application or, at least, have some way of pushing down a disable message that renders the app useless in the case where it is lost or stolen. The 4-6 character password (pin) would also concern me with respect to HIPAA, if it applies.

You might want to treat it as a standard web app from the server perspective and do session-based authentication and access with a session that times out, perhaps after a long period, and re-authentication on timeout.


You could use SSL with client authentication. If a device gets lost, you can remove the certificate on the server. There are some obstacles though:

  • It is not entirely clear if/how you can do client authenticated SSL on the iPhone Unfortunately, there is not much documentation about it. Have a look at Certificate, Key, and Trust Services Reference
  • You have to create a private key for every device
  • You also have to figure out a secure way to transfer the private key to the device
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜