Implementing secure login with Swift and a PHP API

[ergospherical]

I'm hosting a database containing usernames and password hashes, and have written a little PHP API which accepts HTTP post requests (sent from an iOS application via Alamofire for Swift) containing two parameters, username & password, checks against the database & returns some JSON data containing a truth value signifying whether to validate the login, plus some accompanying information.

This method worked, but I cannot use it because HTTP post requests are not encrypted and the approach is pretty much totally unsecure. I am trying to figure out how best to reprogram the login - or use an existing library? In either case I would be interested to hear if you have experience with this sort of thing. Thanks!

 

[jedishrfu]

Try using https instead.

 

[pbuk]

Try using https instead.

...but still use a library. I recommend either Laravel if you want a completely pre-packed solution, or roll your own using the Symfony Request object (and then you will also want to add routing using e.g. FastRoute).

 

[ergospherical]

Try using https instead.

How would I do this with Alamofire? The relevant portion of my code is currently :

 @IBAction func loginPressed(_ sender: Any) {
        let username = usernameField.text!
        let password = passwordField.text!
      
        let parameters: Parameters=[
            "username":username,
            "password":password
        ]
    
        Alamofire.request(URL_USER_REGISTER, method: .post, parameters: parameters).responseJSON
            {
                response in
                if let result = response.result.value {
                    let jsonData = result as! NSDictionary
                    if(!(jsonData.value(forKey: "error") as! Bool)){
                        let validated = jsonData.value(forKey: "validated") as! Int
                        if(validated==1){
                            //Irrelevant stuff omitted for brevity
                        }
                    }else{
                        //error message in case of invalid credential
                    }
                }
        }
    }

 

[pbuk]

URL_USER_REGISTER needs to start with https:// instead of http://

 

[pbuk]

PHP's $_POST global is populated identically whether the request is HTTP or HTTPS.

 

[ergospherical]

Oh right, is it that simple of a change? And there's no glaring security vulnerabilities of using this approach to user authentication? Thanks for the speedy replies by the way.

 

[pbuk]

Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.

 

[pbuk]

But 99% of PHP-driven web sites (including I wouldn't mind betting this one) just use PHP's default 10 rounds of bcrypt stored in a SQL table backed up by a web host along with the rest of the database.

 

[ergospherical]

Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.

The salting and hashing I'm pretty confident about (well, I solicited some help from one of my friend's siblings who dabbles in cybersecurity ). I just need to be sure that I'm not doing anything stupid transferring data between the app and the API, but I'm reassured now that it's probably fine.

 

[pbuk]

The transfer is the one thing you don't have to worry about - https is implemented very securely by the client and the server. The other thing you need to watch is logging: web servers don't store plain text logs of request bodies (i.e. $_POST variables) by default (they DO store plain text logs of query strings i.e. $_GET variables), but be careful about implementing e.g. crash dumps of unsanitised $_POST variables.

 

[pbuk]

Oh and you will want to make sure that the incoming request IS actually HTTPS, either by enforcing a 301 redirect in an .htaccess file (assuming Apache) or by checking $_SERVER (again preferably indirectly e.g. with a Symfony $request->isSecure()). Or both.

 

[ergospherical]

I'm using Apache, yeah. Looks like this explains how to do it:
https://stackoverflow.com/questions/4398951/force-ssl-https-using-htaccess-and-mod-rewrite

 

[jedishrfu]

Make sure you properly quote any user input so as to prevent an injection attack. PHP may do that already But it’s good to do your due diligence and check it out.

The recent log4j crisis is predicated on the possibility that someone tries an injection attack and the web app logs it starting the disastrous chain of events.