I am working on an enterprise application to be distributed in-hously. As a feasibility study, I have read & have developed push notifications using APNS. Here is something I want to ask regaring APNS.
My humble request to.enthusiastic developers,
"Answer this if they have encountered or have any idea or have done some sort of work like this. Please do not just point to any arbitrary tutorial or question links of Stack Overflow."
What are the security aspects involded (from information security point of view) on the PayLoad that I will be sending to APNS server. My client cares because of the information Security policies that I too have to abide.
Is it possible to send / receive notification from the APNS from being within a VPN. How ?
Is it possible to completely bypass the APNS server & have a one in-house server, that can send notification to my device directly. How ?
What if, if I want to implement APNS but do not want to share my
payload with APNS server.?
Thank you for reading my question.
Although end points of the APNS architecture are TLS encrypted, Apple may see your data in clear text. You have to clarify with your customer, if this is ok or not.
Yes, but you'll need some open ports
No, this is not possible
You may use some kind of token as the payload and request the confidential information from your own server using this token.
Related
So my client wants an app that works like this:
one user presses a button on his device
other user(s) get a push notification
no third party server
So I have been looking into the Apple Push Notification Service but I don't want to have a third party "provider" server. Would it be possible for an iPhone to act as a "provider"?
I have already looked at this question which sounds like what I want to do but I am not satisfied with the answer. More specifically:
Would encrypting the APNs key with another key hardcoded into the app be secure enough? Any other ideas for dealing with that issue?
The tokens will always stay the same for a given app for a given device, right? If that's the case, I can deal with creating the token database. If that's not the case, my app won't work.
Will Apple accept such an app?
Would encrypting the APNs key with another key hardcoded into the app be secure enough?
I believe the main issue is you'll need to deliver APNS certificate and private key with your app, and renew it when needed (on all devices). Regardless of it being encrypted or not, if it is available for your app, it might become available for attacker (by dumping its plaintext representation from memory, or by disassembling your decryption code) and make it possible to impersonate your app. So no, it is not secure.
The tokens will always stay the same for a given app for a given device, right?
Not really. Documentation claims that a device token is not a unique ID that you can use to identify a device. Device tokens can change after updating the operating system on a device. As a result, apps should send their device token.
Will Apple accept such an app?
I believe there were no precedents because of the reasons above.
Curious, is it a way to notify other client that I made a database operation, but without set up own server? Just from the client?
Image below shows, I need a server with SSL certificate. Any way to avoid?
You need to have a server (at minimum for security), but it doesn't need to be your server, there are many 3rd party companies who offer push notifications as part of their platform (like urban airship, or parse).
I want to use apple push notification service in my server. But someone said you have to use certificate in your server. I researched the internet and I have found tutorials but nobody says the certificate source. I am already using certificate in my app for push service but where can i found the certificates for server ? Can somebody show me a road map ?
Ps: I will use this is my server : https://github.com/argon/node-apn
http://developer.apple.com/
As usual with anything development related to Apple. Create a certificate there and use that.
Remember, for debug applications, you need to use the sandbox push service, while for release applications, you need to use the normal push service. Each require a different certificate.
All this is thoroughly explained in the Apple Push Notification Service and Provisioning and Development documents.
I want to validate iOS in-app-purchases using my own server. The iOS app will talk to my server which in turn will talk to Apple's server to determine if the IAP is valid. I'm fairly new to networking so I have a basic question: How can I make sure my iOS app is talking to my server securely?
I imagine the app will talk over https but I don't know how this works. Any advice on setting up https communication between the two (or alternate methods of secure communication) are greatly appreciated!
Lawson has a point. You can't make your server perform the purchases directly at the AppStore. That has to be performed by your app.
It should request the available product identifiers from your server and then send an SKProductsRequest to the AppStore.
If required it processes the purchase over the app store and tells your own server about it by sending a so called receipt. The server can validate the receipt directly at the AppStore. But that is the only thing the server can do it self at the AppStore.
You can read more about it here: Overview of In-App Purchase: Server Product Model
As for the connection between your app and your server, I don't think you have much of a (reasonable) choice but to use SSL. Almost anything more secure would require a PKI.
Sorry about the previous answer... I misread your question. You can have your server send a POST request to Apple's server, then parse the response.
https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html
We are building phonegap apps and we would like to send notifications to our users.
What is the cost for sending notifications ? Do we need only developer license or something else ?
Also, do we have to publish the apps in the app store in order to use APNS ? (We are building private business apps)
Thanks in advance,
What is the cost for sending notifications ?
Zero, if you doenst use a third party service like Urban Airship
Do we need only developer license or something else ?
Yes, without a license you cannot send any push notifications
Also, do we have to publish the apps in the app store in order to use
APNS ?
No
I'd like to add to the answer provided above. Not all third party services charge you for sending out push notification. PushWoosh is a free service without limits on the number of notifications being sent and the cost remains zero, unless you need some additional features (which you probably don't).