问题
I have set up in app purchase receipt verification in accordance with Apple's recommendations by sending the receipt to my server which in turn sends it to Apple's servers for verification. All my receipt processing is handled server side and it is working perfectly. My server sends back a very obscure code to my app to confirm whether the purchase is valid or not. I make use of a pretty robust obfuscation method on the app side to disguise what is going on with that return code to make it as difficult as possible on jailbreaking hackers to defeat it.
The issue is that I have my php files stored in a password protected folder on my web server, and am concerned about how that can be considered secure when the app itself has the user name and password for that directory embedded in it to send the receipt to the php file to begin with.
My app only uses the server for receipt authentication of in app purchases. All other functionality is in the app itself, so I don't force each user to have an account with a unique username and password.
I am using URLSession to communicate with the server via a TLS 1.2 https connection so that part is secure, but I can't think of a way to keep a determined hacker from potentially extracting the user name and password from the app on their device, and having access to my server folder directly. Someone with that capability could just as easily modify the php file to always return a code indicating a valid purchase.
I do obfuscate the user name and password inside the app to the point that I think most folks would probably give up on trying to figure it out, but I know I have only made it harder to extract, not anywhere near impossible.
Any thoughts on this? Just about everything I found online concerning this has been concerned with not transmitting a username and password via http, not the bigger issue of a jailbroken device.
回答1:
So I think I have come up with a fairly secure solution to this mess. Thanks much to the folks that took the time to comment on this, as your inputs were certainly helpful.
First off, while I have quite a bit of experience with Obj-C/Swift iOS development, the server side stuff is pretty new to me, but I am learning a lot pretty rapidly. What may seem like a huge eureka moment to me, will seem fairly routine to a big-time REST/Linux/PHP expert, so bear with me.
To summarize the challenge: I wanted to send a json representation of an in-app purchase receipt from my app to a .php file on my server so it could send it to Apple for verification. To protect that .php file, I placed an .htaccess file in its folder to require a user name and password to access it.
NSURLSession dealt with this nicely, but required me to put the user name and password in the app...not good. That is what got the obfuscation conversation going, and made me realize there was no way to keep the password safe when hardcoding it into the app.
Then I realized that I could park files outside of my public_html folder (my eureka moment), and that is what I have done. So inside the public_html folder, which has an index.html file in it as well, I now have a very simple .php file that does nothing more than call a function in another .php file which does all the work talking to Apple's servers and parsing the response. When it has finished parsing, it returns a very obscure code (not the well publicized codes that Apple returns) to the simple .php file which in turn returns that to my app.
Based on that code the app will decide whether or not to grant access to the purchased goods.
Using server side permissions I have restricted the simple .php file in the public_html directory from read or write access from the "world", leaving it as executable only. So while a hacker can quickly obtain the name of that file if they hack the app, it should do them no good. I no longer require a user name or password in the app at all, and the "main" .php file that does all the work lives in a folder that is outside the public_html folder, has its permissions set to restrict read/write/execute from the "world", and even though I think it is overkill I put a .htaccess file in there and deny all.
I think I have a "fairly" secure solution here that should make it pretty hard on a casual hacker to steal an in-app purchase, but as always I am open to suggestion in case I have missed something.
回答2:
You are imagining a hacker reversing your obfuscated binary to try to get the username and password. That's the hard way to do it. The easy way is to inspect network traffic.
Yes, the TLS can easily bypassed by the owner of the device even without jailbreaking it. TLS protects against external attackers, but it does not protect against something wanting to inspect their own network traffic. This is very easy to do, see for example instructions on my blog where I beat a very popular iOS game.
If you want to stop this easier attack, you can try to implement certificate pinning. That can still be broken easily on a jailbroken device, but you deter a lot of casual hackers who won't want to jailbreak their device.
At the end of the day, you are right that a determined hacker is going to win against this type design.
来源:https://stackoverflow.com/questions/42599062/security-concerns-sending-user-name-and-password-to-server-via-https-from-ios-ap