Passing Sensitive Information to a Server from the Corona App

Solar2D Network
#1

Hello,

I am at a point where i need to transmit sensitive information(Such as CC information) from the iPhone/Android app the server. What is the best way for me to do this so that

  1. It passes the Apple/Android tests
  2. I want to know the best level of security i can provide to our clients using the app

Appreciate any input you guys can provide with this and this is the deciding factor for us to decide if we want to buy 100 more dev licenses for corona.

Thanks,
Don. [import]uid: 137615 topic_id: 31636 reply_id: 331636[/import]

#2

There’s probably a lot of different ways to go about this - but I’m not an expert on data encryption.

One thing I would say is that it might be advisable to speak to Corona about the Enterprise version which allows Obj-C plug-ins - should the desired encryption means not be available via the normal route.

Also make sure to check out the Apple approval procedure - as the first question they ask is about whether your app uses data encryption - I believe there’s various steps you have to go through to keep Apple happy if you’re doing that. But again I’m not 100% sure on what these entail. [import]uid: 33275 topic_id: 31636 reply_id: 126357[/import]

#3

Actually this will be a lot easier than you think. If you use the network.request() API to talk to some web form to transmit the data and you use https instead of http, you will get free encryption that you don’t have it get export compliance on… (At least I believe that to be true).

If you are using sockets you will have to figure out some cryptography. Corona includes a crypto library that I’ve never used but it will require the export compliance paper work. [import]uid: 19626 topic_id: 31636 reply_id: 126392[/import]

#4

Thanks SegaBoy and robmiracle. Good to see a few replies. If you guys come across any good articles please do share them with me. We are in the design phase of the application and just trying to get some advice from more experienced people like you guys. I will research into https and try to sniff the port to see if that is good enough. Thanks again. [import]uid: 137615 topic_id: 31636 reply_id: 126510[/import]

#5

There’s probably a lot of different ways to go about this - but I’m not an expert on data encryption.

One thing I would say is that it might be advisable to speak to Corona about the Enterprise version which allows Obj-C plug-ins - should the desired encryption means not be available via the normal route.

Also make sure to check out the Apple approval procedure - as the first question they ask is about whether your app uses data encryption - I believe there’s various steps you have to go through to keep Apple happy if you’re doing that. But again I’m not 100% sure on what these entail. [import]uid: 33275 topic_id: 31636 reply_id: 126357[/import]

#6

Actually this will be a lot easier than you think. If you use the network.request() API to talk to some web form to transmit the data and you use https instead of http, you will get free encryption that you don’t have it get export compliance on… (At least I believe that to be true).

If you are using sockets you will have to figure out some cryptography. Corona includes a crypto library that I’ve never used but it will require the export compliance paper work. [import]uid: 19626 topic_id: 31636 reply_id: 126392[/import]

#7

Thanks SegaBoy and robmiracle. Good to see a few replies. If you guys come across any good articles please do share them with me. We are in the design phase of the application and just trying to get some advice from more experienced people like you guys. I will research into https and try to sniff the port to see if that is good enough. Thanks again. [import]uid: 137615 topic_id: 31636 reply_id: 126510[/import]

#8

To finish the BSCI evaluation and move one stage better CCNP credentials success, you’ve got to know how and when to use debug purchases to identify and validate program features.
http://www.king4sure.com/640-822.html
[import]uid: 186858 topic_id: 31636 reply_id: 127435[/import]

#9

To finish the BSCI evaluation and move one stage better CCNP credentials success, you’ve got to know how and when to use debug purchases to identify and validate program features.
http://www.king4sure.com/640-822.html
[import]uid: 186858 topic_id: 31636 reply_id: 127435[/import]

#10

Hey Rob.

You metioned that “Corona includes a crypto library that I’ve never used but it will require the export compliance paper work.”.

The crypto library also includes the hash functions (md4, md5,…). Do you know that these hash function are also considered as form of encryption regarding to the “export compliance paper work”?

I saw some guys saying that md5 can not be considered encryption because you cannot “decrypt” it … I do not want to enter in definition discussion, just want to know if you have seen cases of md5 being rejected by apple…

Thanks,

Renato
 

#11

I’m not sure.  I tried to get Apple to pin down an answer once and they gave me a useless vague answer.  Maybe someone else has a better answer.e

#12

Hey Rob.

You metioned that “Corona includes a crypto library that I’ve never used but it will require the export compliance paper work.”.

The crypto library also includes the hash functions (md4, md5,…). Do you know that these hash function are also considered as form of encryption regarding to the “export compliance paper work”?

I saw some guys saying that md5 can not be considered encryption because you cannot “decrypt” it … I do not want to enter in definition discussion, just want to know if you have seen cases of md5 being rejected by apple…

Thanks,

Renato
 

#13

I’m not sure.  I tried to get Apple to pin down an answer once and they gave me a useless vague answer.  Maybe someone else has a better answer.e