Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
Pavel Golubev2013-09-17 04:32:06
iOS
Pavel Golubev, 2013-09-17 04:32:06

How to establish a really secure connection between an iOS app and an XMPP server

So, the idea is to establish a really secure connection between the iOS app and the XMPP server in order to prevent any possible spoofing, sniffing, Man in the middle attacks, Replay and others. After several days of searching, I came up with the following model. Please let me know if it's secure enough or if I'm missing something or if there's something that can be improved.

Establishing a secure connection to an XMPP server

A connection can only be established to one specific XMPP server, hardcoded into the application code.
Access to the server without encryption is prohibited, only SSL/TLS.
A connection can only be established if the server's SSL certificate is considered valid.
In order to prevent MITM if the root CA server is compromised, SSL pinning is used, that is, the server's public key is immediately hardwired into the application code.

OTR

Any conversation within the application is conducted using OTR version 3 encryption.
The authenticity of the interlocutor is established using the SIGMA algorithm on which OTR is based, thus we prevent possible MITM attacks. Right?

TOR

Even if both OTR and SSL are broken (is it possible in this configuration?), the client always connects to the server only through the TOR network, which allows it to mask its original IP.

Do I need to add something to this configuration to consider it completely secure? Does SSL need to be wrapped in some other protocol in case there are backdoors in SSL? What?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
M
mayorovp, 2013-09-17
@mayorovp

The main security threat is the iOS app auto-update mechanism and the communication channel with the AppStore. Unfortunately, this problem is unresolvable.

Report
B
bebebe, 2013-09-17
@bebebe

What specific server do you want to connect to? With an arbitrary one or your own?
If with your own, then you don’t care what the certificate will be there, even though it’s self-signed, you don’t even need a CA, check through pinning and everything is OK.
If you connect to other servers (arbitrary?), how will you monitor whether their certificate has changed or not? Only after users complain that everything fell off, do you really make sure that the certificate has changed and start releasing a new version?
ps in fact, you still have to wrestle with Apple in pushing the application into the AppStore. There are some terrible restrictions on the use of cryptography.

Report
M
mayorovp, 2013-09-18
@mayorovp

Then the thought came to my mind - why not use i2p instead of tor? In general, it solves all the tasks you set. Is that the second level to add in case of a backdoor.

Similar questions
B
bigtrouble2015-06-02 12:22:58
How to prevent a merge "from" a specific branch? 2Reply
A
Alexbert2017-07-17 17:24:19
How to maintain documentation on servers (Sys.Administration)? 6Reply
P
Petronomist2019-05-09 05:47:24
Is it possible to set up "FAST" geolocation in the smartphone application? 2Reply
T
The_XXI2019-05-13 12:43:05
Is it possible to develop applications in Python Kivy for IOS? 0Reply
M
MrZombie2014-12-20 23:33:06
How to transfer contacts from iOS to Android without losing contact photos? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question