I am currently working on a mobile app that has a accompanying web service being developed in PHP. The one thing that we want to make sure is that the users data is safe in every possible way.

After careful evaluation, we have decided to use RNCryptor for all things related to encryption. This is in addition to the HTTPS connection. The current process is like below (login example):

  1. The RNCryptor library on iOS uses a key to encrypt password before sending it to the server.
  2. The server then stores this encrypted password on the database.
  3. While re-authneticating, the app sends the password (again encrypted with the static key) and the server decrypts it (means the server also has the encryption key), verifies the login and sends the login key (encrypted with the same static key) back to the client.
  4. Every subsequent request relies on the encrypted loginKey and the username for authenticating the validity of the user and login session.

I believe the above system is flawed because of the STATIC encryption keys and since the key is available on both the server and the client.

What we would like is to make the encryption key dynamic by merging the raw password with the STATIC encryption key. This would make encryption key unique for each user but it also means the server will have no idea about the key. It is essential for the server to know the key since other user data also gets encrypted and decrypted based on this key.

Can somebody help me out with this? What steps do I need to take to make the system more secure? Any code snippet or reference link specific to server-mobile client would also do. I know there are a lot of tutorials out there but mostly all resume the client to web based and not mobile.

PS: Sorry for such a long post.

Related posts

Recent Viewed