iphone: is there any secure way to establish 2-way SSL from an application

Posted by pmilosev on Stack Overflow See other posts from Stack Overflow or by pmilosev
Published on 2010-05-05T16:41:56Z Indexed on 2010/05/05 19:08 UTC
Read the original article Hit count: 372

Filed under:

iphone

|

https

|

security

|

onlinebanking

Hi

I need to establish a HTTPS 2-way SSL connection from my iPhone application to the customer's server. However I don't see any secure way to deliver the client side certificates to the application (it's an e-banking app, so security is really an issue). From what I have found so far the only way that the app would be able to access the certificate is to provide it pre-bundeled with the application itself, or expose an URL from which it could be fetched (http://stackoverflow.com/questions/2037172/iphone-app-with-ssl-client-certs).

The thing is that neither of this two ways prevent some third party to get the certificate, which if accepted as a risk eliminates the need for 2-way SSL (since anyone can have the client certificate).

The whole security protocol should look like this: - HTTPS 2-way SSL to authenticate the application - OTP (token) based user registration (client side key pair generated at this step) - SOAP / WSS XML-Signature (requests signed by the keys generated earlier)

Any idea on how to establish the first layer of security (HTTPS) ?

regards

© Stack Overflow or respective owner

Related posts about iphone

iphone - direct link to iPhone review form from inside iphone

as seen on Stack Overflow - Search for 'Stack Overflow'
I am trying to link directly to the review link of one of my Apps. I know that it is possible because Appirater did it in the past, but some change in iTunes turned the API down. Appirater uses this URL NSString *templateReviewURL = @"itms-apps://itunes.apple.com/WebObjects/MZStore.woa/wa/viewContentsUserReviews… >>> More
Buy iPhone 4 Without Contract: $599 (AT&T) and $699 (Verizon)

as seen on Tech Dreams - Search for 'Tech Dreams'
Purchasing iPhone without a contract is a good option when you are planning to gift it to someone or going to use it outside US. Both AT&T and Verizon lets you iPhone 4 without a contract but this information is buried deep under blurred text in FAQs and agreements. Here is the pricing… >>> More
Is it possible to download and run IPhone apps on an IPhone emulator

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am tasked to provide an IPhone client app for our SaaS website. I have never written an IPhone application, nor do I have an IPhone at the moment. Before I can decide whether or not I want to do this myself or outsource this, I'd like to try a few apps myself to get a feeling for the UI. Is… >>> More
iPhone web app from dashcode rss feed template works deployed on simulator but not on iphone

as seen on Stack Overflow - Search for 'Stack Overflow'
iPhone web app from dashcode rss feed template works deployed on simulator but not on iphone. The web app is deployed at; http://www.alila.se/wordpress/index.html If i run the simulator and enter that adress, it fetches the rss feed and displays it. Everything fine. When i enter the adress into… >>> More
Problem running iPhone application on iPhone from Xcode (and in Instruments)

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi I have a problem running one application on the iPhone from Xcode (or Instruments). When I try to run the app I get the error message Failed to upload XXX.app in the bottom left corner of Xcode. The strange thing is it actually uploaded the app to the iPhone but it doesn't start it (after this… >>> More

Related posts about https

Need Java https proxy which can be enhanced to emulate production https proxy behaviour

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a production environment which require access through a proxy server. Occasionally said server returns blank responses badly confusing the Metro web service library causing all kinds of interesting RuntimeExceptions. I believe the proxy is Squid. In order to handle these better, I would… >>> More
How To Find Out If You are Using HTTPS Without $_SERVER['HTTPS']

as seen on Stack Overflow - Search for 'Stack Overflow'
I've seen many tutorials online that says you need to check $_SERVER['HTTPS'] if the server is connection is secured with HTTPS. My problem is that on some of the servers I use, $_SERVER['HTTPS'] is an undefined variable that results in an error. Is there another variable I can check that should always… >>> More
Apache: https to https redirect

as seen on Super User - Search for 'Super User'
I'm trying to get Apache to redirect all http and https traffic to a single endpoint www.example.org. The http part is easy: <VirtualHost *:80> ServerName example.org Redirect permanent / https://www.example.org/ </VirtualHost> # long list of other domains, all redirecting to… >>> More
Redirect request from https domain to https subdomain with only one certificate

as seen on Server Fault - Search for 'Server Fault'
I'm trying to redirect users to a subdomain in server2 if they make an https request to server1. I only have one certificate, and that's installed on server2. So for instance, from (server1) https://www.example.com to (server2) https://ssl.example.com My best guess is that I will need a certificate… >>> More
SSL / HTTP / No Response to Curl

as seen on Server Fault - Search for 'Server Fault'
I am trying to send commands to a SOAP service, and getting nothing in reply. The SOAP service is at a completely separate site from either server I am testing with. I have written a dummy script with the SOAP XML embedded. When I run it at my local site, on any of three machines -- OSX, Ubuntu,… >>> More