Verify backend calls from iOS app - McMap

About

Verify backend calls from iOS app

Asked 2/8, 2015 at 4:26 Answered 8/2, 2019 at 16:54

ios cloudkit google-authentication cloudkit-web-services

P

1

20

I am trying to find an equivalent of this Android verification but for iOS.

Initially posted in a blog post but now incorporated into the main android documentation, the verification lets you know 3 things: Then, you know that:

The token was issued by Google.
The token was sent to a device that was being operated by the person identified in the payload's email field.
The token was obtained by the Android app identified by the Client ID in the payload’s azp field.

The key point is that:

GoogleAuthUtil will observe that the Android app and the web client ID are in the same project, and without user approval, return an ID token to the app, signed by Google.

Therefore, I am able to verify backend calls, without disrupting the user.

Is there somethings similar for iOS from Apple, where I can get a ID token signed by Apple when Apple will observe that the iOS app and the web client ID?

I have found a SO question trying to find something similar, but I am hoping for a simpler solution. That question was more than a year ago, so I am hoping there maybe a better answer, possibly with the new CloudKit web services.

Pearsall answered 2/8, 2015 at 4:26 Comment(6)

The closest thing I've found is this: riskcompletefailure.com/2013/11/… , although this isn't quite the same as the Android equivalent that you mention, as this still requires the user to have a Google gmail account, which some of my iOS users may object to. I've been looking for the same thing as you for months now without success: it looks like the only way to verify server comms without user approval is to invent a home-grown mechanism from scratch! – Sommersommers 10/9, 2015 at 16:59

Hey, you can still do oauth2 getting essentially everything raywenderlich.com/99431/oauth-2-with-swift-tutorial let me know what this looks like to you. – Evieevil 27/12, 2015 at 12:59

@yet did you find any solution for that. now i am facing similar issue please guide me how you achieved that – Shallow 16/4, 2016 at 5:52

@bittoo, sorry I didn't – Pearsall 20/4, 2016 at 12:53

Are you talking about the ID to fetch push notifications? – Candiecandied 16/2, 2017 at 13:28

why dont you use ssl certificates ? for verification request sent or received by google, and device id'z to verify valid user? – Eucaine 22/7, 2019 at 13:1

S

3

Luckily I've come across this thread on stackexchange where the user Iwaz left a comment.

Iwaz is pointing at Apple's DeviceCheck Framework that can be used to verify if a call to your API comes from an actual installation of your iPhone App.

According to the docs it works as follows:

Get the current DCDevice by calling DCDevice's currentDevice method.
From that DCDevice call its generateTokenWithCompletionHandler method to obtain a token.
Send that token along with your other data when making requests to your API.
In your API server code, call Apple's API by providing the token to validate it as described here.

Staffan answered 8/2, 2019 at 16:54 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.