4

I want to use Apple Push Notification Service, so I need a server. This server will have to check a site every x minutes.

How the site that has to be checked requires the user to login.
So is it ok security wise to get the user to login on a web browser, then upload the cookies which contain the session information (not the user's username or password) and store them in a database which is just one table, with 2 fields, 'cookies' and 'deviceToken' so that the cookies are associated with the device token.
Then perform requests from the server to the site with the user's cookies, on the user's behalf, and if the site has changed push a notification to the user.

Is this a secure method and how exactly would I implement this so that noone else can get access to the database and download the cookies?

Also as long as I let the users choose to enable or disable push notifications (neither opt-in or opt-out) is this morally ok?

AviD
  • 73,317
  • 24
  • 140
  • 221
Jonathan.
  • 141
  • 1
  • 4
  • There are 3 questions here. Is this a secure method? How do I do this? Is it morally sound if users can enable or disable notifications? Can you break these into seperate questions on the site? – Steve Mar 07 '11 at 17:44
  • Oh great I have another account, how many server/security sites can there be? I know how to do this in code, but I'm not sure if that would be secure. So really it's only 1 question, with an extra sentence asking if it's acceptable (which ties into the security) – Jonathan. Mar 07 '11 at 19:07

1 Answers1

2

Is it secure?

If the phone->server connection is not encrypted, then those session cookies can be sniffed. If your server->website connection is not encrypted, then those session cookies can be sniffed.

If cookies can be retrieved by the phone, then an attacker could pose as that phone by sending the same device token and get the cookies back, then hijack that user's session.

And finally, if the cookies are not encrypted in the table and somebody is able to steal the contents of that table, then they can hijack all of your users' sessions at once!

Is it morally okay?

Not unless you explain to the user what you are doing and what the risks are.

By copying a user's cookies and sending them to a target website, you are posing as that user. You could (or anybody else who was able to steal those cookies) hijack that user's session and do nefarious things.

It really depends what that "target" website is. If it's a bank, then this is definitely a bad idea. If it's reddit.com, then this may be reasonable.

Mark E. Haase
  • 1,932
  • 2
  • 15
  • 25