ios - Sending Device Token Safely for APNs -
for ios applications require push notifications, must first request user permission so. after that, device token generated , this, remote server may communicate user through token.
i have read similar question here , not feel enough. picture below trusted certificate, allows me view traffic happens on device.
with fiddler2 certmaker, can sniff https traffic, means client can know data sending, , where.
my question is, knowing ssl not secure protecting clients seeing send remote server, should encypt secret key found within application?
such encrypt("device_token","secretkey_a0a0a0a")
(pretend objective-c)?
couldn't find key within application? read this question, , seems possible secret key.
my plan goes this:
- within ios application, generate random string named
activate
. - encrypt (not hash), token random string and secret key know. (secretkey_a0a0a0)
- send encrypted string along generated randomly generated string (active).
- within serverside, check if can decrypt valid token using
active
, secret key. - i save token in database if valid.
this prevents people random entering tokens yes, however, secretkey_a0a0a0
string literal. it's possible within application binary itself.
my question is, how protect secret key? answer can be, how can prevent people sending invalid tokens server well.
i have heard of encryption, doesn't apply resource files?
how should approach this?
if ssl-pinning ( afnetworking
has implemented ) won't able (in reasonable timeframe) sniff https traffic between client , server if don't have servers private key.
Comments
Post a Comment