Home/ Questions/Q 7030799
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T00:43:09+00:00

I am creating an app that will require authentication which I have already gotten

  • 0

I am creating an app that will require authentication which I have already gotten working with a login View in XCode. the method I am using currently builds the URL that i submit to my server but it is submitting the login and password in plain test as appended to the url as follows:

http://myurl.com/auth.php?email=email@domain.com&password=mypassword

I did receive some vague advice that they used a “salt and hash 40 character token” but have not been able to see how/where this was done. I can perform some actions on the server side to manipulate data but need to be able to de-salt / de-hash anything i do in xcode ..

Is there a way to have Objective C provide an MD5 hash of the provided password so that the text in the URL request is already encrypted before I submit the url request? I can validate in server side PHP that the MD5 hash provided matches the database’s MD5 hash so that would be perfect if it is possible.

If not then I need to create a method for this salt/hash I can create in Objective C that has to be something I can unravel in PHP to compare to my database.

Thanks in advance.

Silver Tiger

UPDATE: 1-14-2012

Unfortunately the server and SSL options are not under my control though i can make recommendations. I will have to further research SHA1 and/or base64 so that I can create the hash in the app and recreate/compare it on the server. Any pointers to a decent read would be appreciated until I can get SSL.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No need to “be able to de-salt / de-hash anything i do in xcode”.
    This is not how cryptography works.

    Just compare the hash of the text entered with the hash of the expected text.

    The server will probably give you the hashed version of login+password
    Just compute the hash of the entered login+password on your side in Xcode too and compare the two results.

    if ([response_of_server_containing_sha1_of_password equalsToString:[self sha1OfString:password_string_entered_by_user]]) ...

    Or more probably this comparison is done server-side, meaning you probably will send the sha1(password_entered_by_user) to the server and they will compare it with the SHA1 of the password they have stored in their database.

    Anyway, no need to have a bidirectonal cryptography here and no need to decipher (“decrypt”/”de-hash”) anything.

    You obviously need to get more info from the guys implementing the server side of the authentication server, if they don’t give you all the needed information, as which hash (md5? sha1?) they expect you to send, etc.

    (Note anyway, doing authentication in such ways won’t protect the site from security breaches like MITM or replay attacks. If you need better security, consider using SSL / HTTPS)

    • 0