I am currently designing an iPhone app. It uses a web api that I’m building in PHP. The app requires users to login.
What I am currently researching, and having a really hard time figuring out, is if there is a “proper” way to do this.
At this point, I have it so that new users can register right within the app, providing their email and a password. This password is salted (with a static salt – I know – a bad thing, but better than no salt), and then hashed before being sent to the api.
Registration, and login works fine. However, wanting to be as security conscientious as possible, I’m trying to figure out if there is a more secure, industry-standard way to do this.
The app requires the login data to live on the server, and not on the device. I may add a web interface later, and the user will need to be able to log in there as well. Because of this, using a random salt for each app install, while more secure, as far as I can tell, will prevent web login since the salt will only exist on the device.
Someone has said use OAuth, and I would love to pursue that, but I can not find a single *simple* example of how to use it. Sure, there are plenty of high level “Here’s how OAuth works” types of tutorials out there, but it seems that no one has written a *simple* tutorial on this exact use-case.
If I could figure it out, I might just do it myself. However, I’m not sure if OAuth is the right tool in this case.
As I understand OAuth, it allows a user to login to my app using another site’s credentials, such as Google, Facebook, Twitter, etc. They authenticate through that other service, and that service passes me a token to use to identify them in the future.
If I’m understanding it correctly, that would be fine. As long as I have a way to identify them, I don’t care how it happens. In fact, I like the idea of letting someone else handle the heavy lifting (security).
So, where do I begin?
At this point, I have no idea. I have seen several projects people have written to “encapsulate” OAuth for Objective C at a “high-level”, but they are anything but simple, and I can’t make any sense of them. Do you really need a degree in computer science just to understand this stuff?
Comments and assistance welcome.