thanks for the help
I have made a simple login system with email and password when the user logs in he gets a hidden userID and token from the webservice to navegate the app.
I want to save the UserID and the token in the app to use it in other classes but i dont know how to do that.
I had the idea of creating a void that holds the information but when i try to access it from other classes it doesn't work, i also tryied NSUserdefautls but i have been told that doing that is not safe so i gave up on that.
I tried keychain but i also managed to fail using that.
I really dont know what to do, can someone help me :)?
i just need a light in the end of the tunel here !haha
thank you very much.
The keychain is a good option for this, get Keychain wrapper code to make it easier.
Look for keychain helper software in CocoaPods, either add the pod or just copy the source files into your project.
You can use [NSUserDefaults standardUserDefaults] for this. But it is not a safe way to do this.
You can use third-party classes like Lockbox to store data in keychain securely. You can find more of these classes in CocoaPods.
Related
I am relatively new iphone developer. I need authentication process for my apps and I need the password and username to stored securely. I had read up some of the topics relating this in this forum.
It seems that the keychain is the better way to store the data securely and I come across the post about recommending this library.
PDKeychainBindingsController
I have tried the library and it is as easy to use as NSUserDefault. But what confuses me is that NSUserDefaults is not used in the first place to store credentials because their content can be easily hacked as some of the post mentioned.
Then my question here is that how secured is it to use above mentioned library as it still uses NSUserDefault to access keychain and my key in NSUserDefault would be still visible if the NSUserDefault is hacked.
I am a bit confused on that part and I would like any clarification on the topic if possible. I think I am missing something.
When you use PDKeychainBindingsController, you should call [PDKeychainBindings sharedKeychainBindings] and then set/get all string to/from the keychain. The PDKeychainBindingsController will call keychain API(which is C, hard to use) for you.
That means actually all [[PDKeychainBindings sharedKeychainBindings] setObject:... forKey...] will be kept in keychain. Don't worry to use it!
Where can I find a good detailed tutorial using sskeychain to store and retrieve usernames and passwords and to do basic authentication in a UIWebView? Secondarily, am I on the right track as far as the methods needed to store and use authentication for a web based application? (See explanation below.)
I found a couple tutorials using different methods:
Interacting with keychain directly
Handmade keychain wrapper (sic)
SFHFKeychainUtils
According to recommendations from other SO questions below, sskeychain is recommended for an easier use of the keychain to store authentication parameters.
Cocoa interface to MacOS X Keychain
https://stackoverflow.com/questions/8381072/save-username-and-password-for-url-like-gmail-com-iphone
My plan is to store a username and password locally on the device in the keychain as recommended and connect over a UIWebView using basic auth to my PHP code. Is there a good step by step tutorial for xcode/Obj-C newbies on the topic of user authentication that would be recommended by experienced iOS developers?
The Apple documentation seems less than helpful. It's either pages with simple sales jargon or just head imploding descriptions of methods and parameters without many helpful examples.
Update:
I ended up just using NSUserDefaults to store the username and password locally and the AFNetworking library to do the authentication. If these are unwise I'd welcome an answer that supplies guidance on a better method.
Using AFNetworking to do the authentication and calls to the server is great! But I would highly discourage you from storing credentials (username and password) in NSUserDefaults, since the contents are stored in a plist as plain text and can be read just by plugging your device to a mac. I recommend you to check these other questions and great post of a well-known case for further details on the topic.
You were right going for Keychain and using SSKeychain is easy and fast. You can find this good example on how to use SSKeychain to locally store the credentials.
// Store credentials in Keychain
[SSKeychain setPassword:#"thePassword"
forService:#"com.yourCompany.yourApp"
account:#"theUserName"];
// Retrieve credentials from Keychain
NSString *password = [SSKeychain passwordForService:#"com.yourCompany.yourApp"
account:#"theUserName"];
If you want to do basic auth, you might be better off using a networking service like AFNetworking. They all you to create a webclient, pass in a username/password combination and they take care of the rest.
This link show you the exact method call you need to invoke:
http://engineering.gowalla.com/AFNetworking/Classes/AFHTTPClient.html#//api/name/setAuthorizationHeaderWithUsername:password:
There is also a large community and a bunch of examples of developers using AFNetworking in all types of iOS project.
I would recommend to you to use
Lockbox
It's lightweight, works with ARC and easy to use.
I've look around and saw some of the ways are to use NSUserDefault, keychain and singleton on xcode to create a session for users who login through the app. I've also ask my friend and found it was possible to create a session and store it in the database.
I'm still new to programming and such, so please do not be offended by my silly question. What I want to know is, among the method mentioned above, which is the more appropriate method to hold a session. Is it a must that the session be held in the app? Is it possible to be the using webservice to create a session and store it in the db. Or can the session only be created by the app? (confuse about this)
I would like to know which is the most practical and of course, not that difficult for a beginner to implement and tweak. Thanks for the advice.
I know that there are some restricted api's or code that are not allowed to be in your app when you submit it to the app store.
How do you know what they are? Is there a way to check your app before you submit it to ensure you have not used such api's?
It is probably better to avoid this problem at the design stage, than trying to fix it later, so I was wondering if there is any tool in Xcode, or document to determine this.
The way Apple intends for you to do this is to use XCode's Validation feature. When you're submitting an app, you build for achiving (or Archive from the XCode menu). Then, you open up Organizer to see the archive you just created. At this point, you can press the Validate button in Organizer. That will perform a validation, without actually submitting the app. It will tell you if you're using Private APIs. Depending on how you use them, it might identify what the violation is:
There's definitely ways that code can fool this validation step, and "get away" with using Private APIs until the reviewer looks at the bundle. But, as far as I know, those ways would all be intentional methods of hiding Private API usage, and it sounds like you're trying to discover accidental usage.
If you fail this Validation test, then you might want to use something like AppScanner, mentioned in alan duncan's answer. But, for completeness, I wanted to make sure people knew that this Validation step is available in XCode, and checking for Private API usage is one of the things it's doing before you submit (and have to wait a few days to be told what you did wrong). Also, even if you don't use the Validate button in Organizer, but just use Submit, the tool is performing a Validation for you. The only difference is whether the bundle actually gets uploaded to iTunes Connect.
If you stick to documented interfaces as suggested above, you're fine. The only issue is with third-party libraries whose implementation may be opaque to you.
There is a Mac app called AppScanner that scans from private API usage. I have no experience with it, though.
You will get more information on Apple approval process from
App Store Review Guidelines for iOS apps (You must be a registered iOS developer for accessing this data).
iOS Human Interface Guidlines.
get the private API list.
use class-dump to process the Mach-O file, and get the processed string.
use regex to get the interface, class, or method in the string.
match the API to private API list.
then GOT it~
I opened a porject to do this, but because the reason of my company, canceled. very sorry for this.
I don't want to use NSUserDefaults as I have been told it's not a good way to save a username and password.
So I was going to use a Keychain, but I have never used them before. Can some one please just a give a quick example of one or point me in the direction of an example ? Thanks.
I Use the open source SSKeychain wrapper around the the C api used by the keychain.
It's convenient, easy to use, and works on Mac OS and iOS.
This is the best I have found till date... It five a very simple implementation of saving passwords and username to keychain. Please remember to include security framework in your project.
https://web.archive.org/web/20160305031351/http://iosdevelopertips.com/core-services/using-keychain-to-store-username-and-password.html
Keep in mind that this doen't work on simulator.