ios - Sending Device Token Safely for APNs -


for ios applications require push notifications, must first request user permission so. after that, device token generated , this, remote server may communicate user through token.

i have read similar question here , not feel enough. picture below trusted certificate, allows me view traffic happens on device.

with fiddler2 certmaker, can sniff https traffic, means client can know data sending, , where.

my question is, knowing ssl not secure protecting clients seeing send remote server, should encypt secret key found within application?

such encrypt("device_token","secretkey_a0a0a0a") (pretend objective-c)?

couldn't find key within application? read this question, , seems possible secret key.

my plan goes this:

  1. within ios application, generate random string named activate.
  2. encrypt (not hash), token random string and secret key know. (secretkey_a0a0a0)
  3. send encrypted string along generated randomly generated string (active).
  4. within serverside, check if can decrypt valid token using active , secret key.
  5. i save token in database if valid.

this prevents people random entering tokens yes, however, secretkey_a0a0a0 string literal. it's possible within application binary itself.

my question is, how protect secret key? answer can be, how can prevent people sending invalid tokens server well.

i have heard of encryption, doesn't apply resource files?

how should approach this?

if ssl-pinning ( afnetworking has implemented ) won't able (in reasonable timeframe) sniff https traffic between client , server if don't have servers private key.


Comments

Popular posts from this blog

java - nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet Hibernate+SpringMVC -

sql - Postgresql tables exists, but getting "relation does not exist" when querying -

asp.net mvc - breakpoint on javascript in CSHTML? -