How to send data to webserver and know it comes from a certain application?

I'm trying to send data from my application to a webserver. The catch is that I want to encrypt the sent data and also make sure it comes from my application. (From what I've read so far it's easy to decrypt the data if it's not 开发者_Python百科sent via HTTPS. On the unique application I didn't find anything except the Application ID Apple provides for each application but I don't know how that works).

The data sent are various highscores and achievements that the user can enable. The thing is that the user doesn't have to type in anything but his username and having that associated with the UDID it should be enough. But how to make sure it's from my application?

Edit:After reading some responses around here I still didn't understand something: If someone extracts the IPA and reverse engineers it wouldn't he have access to all my .h and .m so he can look up anything in there?

You could generate a client certificate for the iPhone app, and use mutual authentication for your SSL handshake. Then you know that data submitted to the server come from a particular user of the app, and that your app is communicating with the correct server.

Regarding your edited update, yes if someone reverse-engineeres your app they can probably work out how the high-scores are protected. But seriously, how much trouble do you expect most people to go to in order to fake a high score in a game? Are you offering a cash prize or something?

If you are using HTTPS then you can just put an identifier key in your POST to the web server, either as a field or perhaps an HTTP header that identifies your app. The entire connection is encrypted so it will be protected. If you do this you will want to encrypt the key even in your binary and decrypt it as you send it over the connection, that way no one will be able to pull it out with a hex editor.

Another approach if all you want is to know that the data comes from an authentic instance of your application is to use message authentication codes (MAC). I leave deciding how strongly the key needs protecting as an exercise to the reader - you know your security requirements better than I do.

You can use CommonCrypto - part of the iOS SDK since forever - to actually generate the MAC.