sometimes you may want to lock down RESTful APIs or plain HTTP GET resources for authorised access by your own client software only, without requiring authentication. You don’t know who (not authenticated), but you know she may access (is authorised).
If the server has a valid SSL certificate based on a root certificate pre-installed on the iPhone among the simplest ways to do it are:
- HTTP Basic Authentication with static username + password. This requires just a
.htaccess
configuration setting and you’re done. - send a custom HTTP Request Header with a secret token, also just a
.htaccess
rewrite setting required:
RewriteEngine On
RewriteCond %{HTTP:My-Secret-Token} !=WRdsWXwwTZjEIRrgD5tODVf0U
RewriteRule ^.*$ - [forbidden,last]
# Test: $ curl --header "My-Secret-Token:WRdsWXwwTZjEIRrgD5tODVf0U" http://myserver.example.com/demo/
Decompiling an App may raise the bar high enough though hard-coded secrets surely aren’t bulletproof Secret Service grade quality. If you don’t want the password or secret token as literal string inside the App, synthesize it at runtime.
If your transport channel isn’t confidential (e.g. plain HTTP, not HTTPS) you might think about Digest Authentication or a custom implemented CRAMish mechanism which I will not go into in this post.