I have an iOS app that communicates with an Apache 2.2 server. I would like to restrict the access to several directories so that only the app will be able to access them (no browser access, no crawlers, etc). What are my options?
Run Apache on a non-standard port, like 8574. This first step will eliminate 99% of the "noise" you're expecting from robots and scripts.
The specific piece of configuration you want in Apache is mod_authz_host. It'll let you filter requests for access based on a variety of factors that Apache terms "environment variables," including the user agent. You could Allow from your custom user agent, then Deny from all.
CAVEAT: With all of that said, filtering based on user agent is not the correct way to implement what you want. Server-side controls are only the beginning of securing your application against unauthorized access. Authenticating to a web service (such as what you are developing) should be implemented using some kind of API key. Many REST APIs do exactly this. If you are not sure as to how to implement key-based cryptography, consult an expert (or face the consequences).
FOLLOW-UP: Implementing public-key cryptography is one of many ways to do the job correctly. Before you dig in, let me say that you're in for a world of hurt. Check out the indispensable "Everything you need to know about cryptography in 1 hour." Note that he says the phrase "consult a cryptographer" six times in the presentation. At its simplest, your server should be able to answer the following questions in the affirmative for any request:
Can I guarantee that this request came from the iOS app?
Can I guarantee that this message hasn't been tampered with?
Can I guarantee that this user is who they claim to be?
Can I guarantee that this user is authorized to do what they're asking to do?
As you can see in the presentation, even well-known APIs like Amazon's don't always get this right. I believe you need an expert on your team, at least to get this part of your application correct.
Run Apache on a non-standard port, like 8574. This first step will eliminate 99% of the "noise" you're expecting from robots and scripts.
The specific piece of configuration you want in Apache is mod_authz_host. It'll let you filter requests for access based on a variety of factors that Apache terms "environment variables," including the user agent. You could Allow from your custom user agent, then Deny from all.
CAVEAT: With all of that said, filtering based on user agent is not the correct way to implement what you want. Server-side controls are only the beginning of securing your application against unauthorized access. Authenticating to a web service (such as what you are developing) should be implemented using some kind of API key. Many REST APIs do exactly this. If you are not sure as to how to implement key-based cryptography, consult an expert (or face the consequences).
FOLLOW-UP: Implementing public-key cryptography is one of many ways to do the job correctly. Before you dig in, let me say that you're in for a world of hurt. Check out the indispensable "Everything you need to know about cryptography in 1 hour." Note that he says the phrase "consult a cryptographer" six times in the presentation. At its simplest, your server should be able to answer the following questions in the affirmative for any request:
As you can see in the presentation, even well-known APIs like Amazon's don't always get this right. I believe you need an expert on your team, at least to get this part of your application correct.