I have a client (on iOS) that connects to a server using a hard-coded https url.
When a connection is established the server may indicate that for future connections a different machine name and/or port should be used. In addition the server can specify url location suffixes to fetch data from.
i.e. the following URL might be hardcoded in the client:
https://machineName.address.port/url-suffix
and after a connection is established the sever could inform it to use machineName2 and portX and url-suffix /someLocation/somewhere, so the next time the client connects it will use the url
https://machineName2.address.portX/someLocation/somewhere.
The address part or the url cannot change.
At the moment the client has the following for the connection authentication challenge, i.e. it'll connect to anything:
- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
SecTrustRef trust = challenge.protectionSpace.serverTrust;
NSURLCredential *cred;
cred = [NSURLCredential credentialForTrust:trust];
[challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
}
At the moment this app isn't doing anything that requires heavy security - there's no bank info being accessed, the user doesn't log onto anything, no user info is being transmitted. The client is just downloading data from the server onto the device.
Without adding certificate checking on the client side could a spoof server send porn to the device or something, or is the fact a https connection is made and the url address is hardcoded sufficient?
HTTPS provides data encryption and authentication, but your certificate should be signed by a certificate authority. Accessing a hardcoded URL is not a security flaw—that's how webservices/APIs work. However, without proper certificate setup someone could potentially impersonate your server. Just using SSL/TLS is not enough.