Secure communication between ASP and Cocoa / ObjC pages


This is an odd one. I developed a simple iPhone application for management at my company to check real time sales statistics. The first hurdle was figuring out how to get the app to communicate with our old MSSQL 2005 server. After some research it seemed like the fastest way to do it was to create a basic ASP page that would spit out query results with response.write() calls. This works pretty well actually- but the ASP page that returns the results is open to the entire world. The only 'security' mechanism I've got on it isn't really one at all- changing the HTTP port on the server side.

So my question is- what are best practices for this? What would work between ASP and Objective-C? I've read up on some basic challenge-response, encryption, and the like, but it seems like overkill for a simple string of generally unintelligible sales numbers. As the app develops into something more complex however, I'd like this problem solved before the asp starts sending back more sensitive data.

Here is my connection to server code, if it helps. The constant is just there so I can append POST data to it to get to different stats based on what I want from the app. The logic for this is elsewhere and not really important.

NSString * const appDataUrl = @"http://{the url for the asp page}";

//Don't ask me how this works. Google FTW...
-(NSString *) pullData:(NSString *) url {
    NSError * error = nil;
    NSURLResponse * response = nil;
    NSData * downloadedData =
        [NSURLConnection sendSynchronousRequest:
         [NSURLRequest requestWithURL:
          [NSURL URLWithString:url]] returningResponse:&response error:&error];
    NSString *strData = [[NSString alloc]initWithData:downloadedData encoding:NSUTF8StringEncoding];
    return strData;

Thanks guys.

You can use HTTP Authentication (Digest for example) in which you would add a username and password to each request. I don't know if Objective-C has the necessary library to generate the relevant digest token, but if it doesn't you can use one of the HTTP libraries available which I'm sure can handle that.

You can then add the authentication required inside IIS so that only people who know the username and password can access that URL.

Another way of doing that would be to add a special header to the HTTP request in Objective-C, something like X-Auth with a special random value (it can be a predefined GUID).

The request will be sent with that special header and you can check its existence and its value in ASP.

I would also suggest adding SSL so you can access this request via HTTPS so that no one can sniff the data out.