Hello all,
As mentioned in the subject,
what's the best practice to create a login-required iOS app?
Is the below algorithm appropriate?
* get the username & password from the native input boxes
* encrypt them with *md5Digest*
{is md5Digest secure enough or is there any other encryption options for iOS?}
* post them to a php script in the server
* php script checks the md5'ed username & password against the members table in a mySql database
* get the answer of php script
* if it is ok, continue to the mainstack of app,
if it isn't then show the input screen again.
{should I count the login attempts to prevent a possible brute-force attack
or let the php script do the check counts of login attempts?}
Is there any possible issues which I should be careful about, considering Apple's reviewing policies?
I read a post of Jacque ( viewtopic.php?f=49&t=13526&p=65150 ) as:
"I would also wonder about Apple's response. They do not allow custom licensing schemes, …"
What's a custom licensing scheme?
There's something as "we should be able to load a license to devices" in my customer's notes.
May I reply to my customer that Apple strictly forbids this?
Thanks…
~ Ender Nafi
Best Practice: Login Session on iOS
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller
Best Practice: Login Session on iOS
~... together, we're smarter ...~
__________________________________________
macOS Sierra • LiveCode 7 & xCode 8
__________________________________________
macOS Sierra • LiveCode 7 & xCode 8
Re: Best Practice: Login Session on iOS
Hi Ender,
I only can answer one of the questions:
Simon
I only can answer one of the questions:
For brute force attacks I understand just setting a 1 second delay before they can enter again skyrockets the time taken to break (as in not make it worthwhile). But also the limited number of tries will really help.{should I count the login attempts to prevent a possible brute-force attack
or let the php script do the check counts of login attempts?}
Simon
I used to be a newbie but then I learned how to spell teh correctly and now I'm a noob!
Re: Best Practice: Login Session on iOS
Excellent 
Never thought this but yes, it definitely skyrockets the time.
And also, convenient to a honest user,
since he/she may really forget the password and want to try several times.
Thank you Simon,
~ Ender Nafi
Never thought this but yes, it definitely skyrockets the time.
And also, convenient to a honest user,
since he/she may really forget the password and want to try several times.
Thank you Simon,
~ Ender Nafi
~... together, we're smarter ...~
__________________________________________
macOS Sierra • LiveCode 7 & xCode 8
__________________________________________
macOS Sierra • LiveCode 7 & xCode 8
Re: Best Practice: Login Session on iOS
Ender
I've used the same approach you are thinking about and it worked well. Apple's policies do not restrict the use of in-app sign ons to member-based services so you'll be fine.
Cheers
Gerry
I've used the same approach you are thinking about and it worked well. Apple's policies do not restrict the use of in-app sign ons to member-based services so you'll be fine.
Cheers
Gerry
14" MacBook Pro
Former LiveCode developer.
Now recovering.
Former LiveCode developer.
Now recovering.
Re: Best Practice: Login Session on iOS
Thank you Gerry,
I'll go with this method, then.
Best,
~ Ender Nafi
I'll go with this method, then.
Best,
~ Ender Nafi
~... together, we're smarter ...~
__________________________________________
macOS Sierra • LiveCode 7 & xCode 8
__________________________________________
macOS Sierra • LiveCode 7 & xCode 8