Protect Data in Transit
One of the weakest points of any application, is the information interface with the outside world. This is particularly true for iPhone apps.
Nowadays, the vast majority of devices that run OS X are mobile. So we need to be suspicious of things like Domain Name System, and the local network in general. Traffic on a wireless network can be easily monitored, and tampered with by a third party. That’s why any sensible data should be dispatched and received protected with SSL.
There are two really easy ways to do that
NSURLConnectionwithhttpsURLCFReadStreamwith SSL extensions
Now, it doesn’t matter what you do, but never ever disable chain validation. If you do, you are basically telling the certificate system to accept any certificate, even one tampered by a third party. The one case that you may want to do this is if you are expecting to use a self-signed certificate. In that case, you have to validate specifically that the certificate you’ve been presented is the one that you are expecting which is a fairly complicated thing to do. That being said, unless you have a really powerful point to self sign your certificates, don’t do tha
For Macintosh apps that download updates, the code should also be signed. In this case, is very important to verify that the signing certificate is the appropriate. Anyone can get a code signing certificate.
