Today is a good day to code

Mides and No Remote FTP

Posted: December 31st, 1969 | Author: | Filed under: iPhone, mides, Uncategorized | Tags: | 1 Comment »

Mides and No Remote FTP

Picture of IrvinFrequently I have been asked why I have not added remote (web) FTP to Mides. The basic answer is that I see Mides first and foremost as an IDE. As an IDE, it needs to be able to edit and preview source code files, it needs to be able to preview / run / test these files, and ideally it should have good documentation. The FTP in Mides is only there because it was the easiest way to get files onto and off of the phone. WebDAV is another candidate that I might look at for communicating more easily with Windows machines, but either way, using a FTP server like CrossFTP, and Bonjour, or installing IIS and WebDAV is painful. Macs have FTP built in, which made it sort of a no brainer for me. FTP is a nice to have, but there are several reasons why it isn’t truly practical on the iPhone.

The first is obvious. If you have a production web site, why would you want to be doing edits live on the server. Aside from the security concerns, which can be addressed with SCP or SFTP, there is the simple matter of practicality. How could you possibly preview the site in firefox, or IE. Your edits could break your web application for 75 percent of your user base, and you wouldn’t know it until you got back to your computer. It is always better to at least check your work using your desktop before letting it loose on the world at large.

The second is security. If you are accessing FTP without using SSH, you are giving your password to whoever is sitting between you and your web server. This is dangerous especially on the iPhone and iPod Touch where you may be riding on a foreign access point (Wi-Fi). There are many cracked firmware routers out there, and if someone is logging off all of the URLs used to make calls over their device, they would get your username and password. If your public web application was accessible they could deface your site easily, or worse they could redirect traffic from your site to a malicious domain of their own. Even with SSH, there are many well known SSH exploits that can be run against exposed SSHd servers on the web. It is always better to use certificates, which are difficult to get onto the iPhone / iPod Touch.

The third is that your communication could be interrupted. This doesn’t sound too bad, but if your file doesn’t complete uploading, depending on your FTP daemon, you could corrupt a file on the server in a subtle way that you couldn’t find.

To prevent all of this, deployments to production should only happen directly from the staging server with code that has been tested in all required browsers. This mitigates the possibility of corruption, and security violations. Use AFP or SMB to transfer files over VPN, and use Kerberos authentication with either to make sure no one can snoop on your password. These things will keep you safe. If you want to work from your phone, use Mides and a good IPSec, PPTP, or L2TP solution. A good approach with a mac is to use a Dynamic Dns provider, and an open VPN product. Then connect via a secure tunnel to your Mac. Even if you are on a hostile router, you should be fairly safe.

* EDIT – 3/24/2009 *

I actually did add remote FTP to Mides, however I would still recommend against using the feature to connect to servers outside of your internal network.