I have an iOS app which will post data to my Vapor API, my API uses the same methods the book instructed. I was observing the data using Charles Proxy and could notice that the data I posted in my iOS app could be observed. For example: {“event”:“Main”,“date”:“2019-05-06 01:28:39”}.
I want to know if it could be avoided, if there is a way to encrypt the data sent to the database then I couldn’t be seen by Charles Proxy, BUT, since it isn’t sensitive data, I want to be able to GET this data in my database. So, I want the data to be sent encrypted but I want my API to decrypt it. What is the best way to do that?
@macbieoo so the easiest (standard) way to use HTTPS in production - this encrypts the data between your client and server. However you’ll still be able to intercept stuff from your iOS app with Charles if you install the Charles root cert. The way around this is to use certificate pinning, which only allows the certificates you know about.
However anything you deploy to an iOS device can be read by someone with enough means if they really want to (they can decompile your app etc). I’d stick to just HTTPS for now and then maybe certificate pinning if your use case requires it.