I am trying get an iPad app to authenticate to Windows based application that uses WebHttpSecurityMode.Transport mode. I am assuming that I need specific fields in the http header to be filled out correctly to make this happen.
I am using NSURLConnections and then sending a request using sendSynchronousRequest. I am sending a rest request through the connection and receiving a (401) unauthorized. With a windows client I can use the same credentials and gain access.
I am setting the following fields in the http header
Accept, Accept-Charset, Accept-Encoding, Content-Type, Connection, Date, Basic, Authization.
Any suggestions would be greatly appreciated.
Related
I have developed an iOS app using Xamarin and I am unsure about how encryption would work when calling a service that uses HTTPS.
On my end I do nothing particularly special: I utilize a RestClient and add the credentials to the body of a json serialized request. I then post it to the HTTPS service.
Is this safe or should I be doing more? I am not sure if iOS handles the rest for me in terms of encryption.
Answer
Yes, by using HTTPS, you are most-likely safe. However, there are a couple things to verify to ensure that there are no security leaks.
More Info on TLS
Communication with secure HTTPS enpoints encrypt the header and body of the message by default using TLS.
HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security. Source
Things To Verify
Do Not Use Sensitve Data in the URL
The Url of the HTTPS endpoint is not encrypted. It is important to never put any sensitive data into the Url of the HTTPS enpoint. To ensure sensitive data is encrpyted, put the data in the message body.
For example, if you are validating a user's login (username: user1234, password: password1234), do not send the username/password as a url parameter. Instead, serialize the username and password data, and set it as the HttpContent of the HttpClient.
Bad: https://myApiEndpoint.com/getIsUserValid/user123/password1234
iOS HttpClient Implementation
Ensure that you are using NSUrlSession for the iOS HttpClient Implementation.
NSUrlSession will use TLS by default when communicating with secure HTTPS endpoints. As of iOS 10, NSAppTransportSecurity will not allow communication to non-secure HTTP endpoints by default; communication with non-secure HTTP enpoints can be enabled by updating NSAppTransportSecurity in Info.plist, Apple Documentation.
You can verify NSUrlSession is being used in the iOS Build Settings (screenshot below).
When using HTTPS everything except the server address is encrypted during transit. The encryption is totally transparent to the client and server.
Example: for the URL https://myApiEndpoint.com/getIsUserValid/user123/password1234 only myApiEndpoint.com is not encrypted, the rest of the URL is encrypted.
In order to protect against MITM attacks pin the server certificate, that is verify that the certificate received on the request belongs to the correct server.
If you control the server use TLS 1.2 and Perfect Forward Secrecy.
I am working on some app which as API call. while i add proxy in mobile and see response in web debugging tools. I can see my api call parameters and response too.
while in others app I cant see this things and it is secured.
how can i acheive this?
Pictures said your API is using non-secure HTTP protocol while others app using HTTPS. The Web API should be performed via HTTPS protocol. HTTPS using SSL/TLS as secure transport layer, it means all data are encrypted before they're online. So, we don't care about any kinds of proxy
I was wondering if there are any advantages/disadvantages in using POST/GET method in Swift 2 to send password and username to the web server in order to authenticate the user. I am working on the iPhone application that fetches data from the web. The request passes the parameters to the URL and server sends data back. I modeled the current application with Enums defining a different endpoints for each request and it would be really easy for me to model Login the same way. However, I am not sure if that is the right direction.
So essentially GET is used to retrieve remote data, and POST is used to add/update remote data.
For security reasons, it does not make any difference. Just be sure that your connection is secured with an https certificate, and do not allow http connections.
I'm writing a desktop application in Delphi and trying to sync it with Google calendar (windows only, win 7 and newer). I've registered a custom uri schema in my system registry, so eu.myapp:test will run my program or pass a message to an already running instance of the program.
I've managed to get the first step of authentication going - I open the default browser, asking the user for permission to modify their calendars, I get the authentication code back into my software without a hitch. The oauth client is registered as an iOS app,
However when I try to request an actual token, the request is denied (400 - Bad request) with the following response body:
{
"error": "invalid_request",
"error_description": "Invalid parameter value for redirect_uri: Missing scheme: eu.myapp",
"error_uri": ""
}
My request body looks like this:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=XXX&
client_id=YYY&
redirect_uri=eu.myapp&
grant_type=authorization_code
According to the documentation, I am supposed to include the redirect URI obtained from the API Console, but I found no such URI there. Found some older answers, but the developer console has apparently been changed since they were given so they are no longer relevant. What am I missing?
Edit: Added some more information
I built a simple nodejs server and put it up with a SSL certificate and nginx, so I could see what actually gets sent across. I then used both my app and the example C# app to send the token request to it and monitor the request body.
The only discernible difference was that delphi url encoded the code automatically (4%2Fhky... instead of 4/Fhky... for example). Other than that they seemed identical.
I also tried rewriting the app to listen to a localhost port but ended up with the same results. There is a delphi demo where they demonstrate the use of google api by using an embedded browser for the user to log in (and it works), but according to the api documentation, it's deprecated and will go away soon. Besides, it seems like I can manage the first redirect just fine, but getting the actual tokens fails.
Found my error. I noticed that the parameters were getting encoded automatically by the delphi component responsible for making the requests. I manually encoded the redirect uri before setting it as a parameter on the token request. Then the component encoded it again, which caused it to be different to the url given on the code request, which caused the uri_mismatch error.
The uris also need to be identical on both requests, as even though the second request does not redirect, it still uses the redirect_uri as a validation parameter.
When I'm sending request to O365 with WinInet, the server replies with HTTP 403 and X-Forms_Based_Auth_Required header. However, InternetErrorDlg does nothing on it and silently returns 0. Same is happening when requesting OAuth-enabled sites.
What does InternetErrorDlg support?
Is there any "system/IE" way to handle all the stuff with web-based authentication, including smart-cards, pins, storing passwords/auth-cookies etc.? Or this all must be implemented manually?