>Or is that an attacker wouldn't be able to figure out how to format the
parameters?
Bingo. Nor will he know valid values for those parameters.
If someone goes to the trouble to run the app in an environment where he can
scrutinize memory contents, then he can figure all this out. But that's
bey
On 5/18/2011 3:27 AM, G S wrote:
I'm probably being obtuse here, but I don't see how encrypting your
request with a public key would help you with your original problem.
What stops a rogue app from doing the same encryption?
They can't see what the parameters are. So what are they
Agreed they can't see the original parameters, but can't they replay the
same encrypted data and make the server believe that the request came from a
genuine client? If the server, through some mechanism, is able to validate
that the client possesses the original Key and IV before sending the XML
d
>
> I'm probably being obtuse here, but I don't see how encrypting your
> request with a public key would help you with your original problem.
>
> What stops a rogue app from doing the same encryption?
>
They can't see what the parameters are. So what are they going to encrypt?
On Tue, May 17, 2011 at 2:52 PM, G S wrote:
> Hi all.
>
> I have an iPhone app that retrieves database info by issuing HTTP GETs to
> PHP pages on a server. All I want to do is encrypt the parameters sent in
> the URL, to prevent people from spoofing our app and abusing our database
> (most likel
On Tue, May 17, 2011 at 02:22:46AM -0700, G S wrote:
> 1. Generate a random key and initialization vector to encrypt the block of
> text.
> 2. Encrypt that random key with the RSA public key.
> 3. Encrypt the data payload with the random key and IV, using Blowfish or
> other encryption.
> 4. Send
