A new iOS app should be able to connect to a web service to synchronize data across multiple devices. I like the way the diary application Day One has solved this problem by offering "real" user accounts and "anonymous" accounts generated automatically:
- When registering, the user can choose to use an email address to create a "real" account or to log in to his account. Apple ID
- When using the "real" account, the email address must be confirmed and a user name and password must be chosen
- When using the Apple ID, no additional steps are required. The application is connected to web services with the help of a random user ID
- When installing on new devices, you can reconnect using the Apple-ID method.
Problem 1: How to access the Apple ID?
As far as I know, it is impossible for the application to really access the Apple ID-ID. Or is there an undocumented way to do this? How is it possible?
I suspect that the application instead could use iCloud to store tokens? ICloud storage is linked to the Apple-ID. Thus, when installing on new devices, it would be possible to recover the token from iCloud and use it to reconnect.
Or are there other / better methods?
Problem 2: How to manage authentication?
Let's leave problem 1 aside and suppose we have solved the problem of creating a multi-device user name. How could we manage authentication?
- Solution 1: Only the token (Apple ID / registered iCloud user name / etc.) is used for authentication. If a request for the application to the server contains a valid user name token, access is allowed.
- Solution 2: In addition to the user name token, a random password is generated when creating the anonymous account. This can be done on the device or on the server. But since the password must be known at both ends, it must be transferred from one end to the other at a given moment.
- 2a: Trust the HTTPS login and password transfer in clear
- 2b: Use another method (for example, Deffie Hellman) to agree on a common password.
At first glance, 2b seems to be the safest solution, but is it really the case? Synchronization data is not encrypted but "only" trusted in the HTTPS connection. Would it add extra security to transfer the password using another method?
In addition, is there added security to the use of a "password"?? This is not a password that the user selects for his selected user name, but a password generated automatically for a user name / token generated automatically.
Would not it be the same to just use the generated username token? Only users with access to the token / Apple ID / iCloud account, etc. can access the web service.
So, which solution is the best? Am I missing something and there are better solutions?