I am relatively new iphone developer. I need authentication process for my apps and I need the password and username to stored securely. I had read up some of the topics relating this in this forum.
It seems that the keychain is the better way to store the data securely and I come across the post about recommending this library.
PDKeychainBindingsController
I have tried the library and it is as easy to use as NSUserDefault. But what confuses me is that NSUserDefaults is not used in the first place to store credentials because their content can be easily hacked as some of the post mentioned.
Then my question here is that how secured is it to use above mentioned library as it still uses NSUserDefault to access keychain and my key in NSUserDefault would be still visible if the NSUserDefault is hacked.
I am a bit confused on that part and I would like any clarification on the topic if possible. I think I am missing something.
When you use PDKeychainBindingsController, you should call [PDKeychainBindings sharedKeychainBindings] and then set/get all string to/from the keychain. The PDKeychainBindingsController will call keychain API(which is C, hard to use) for you.
That means actually all [[PDKeychainBindings sharedKeychainBindings] setObject:... forKey...] will be kept in keychain. Don't worry to use it!
Related
thanks for the help
I have made a simple login system with email and password when the user logs in he gets a hidden userID and token from the webservice to navegate the app.
I want to save the UserID and the token in the app to use it in other classes but i dont know how to do that.
I had the idea of creating a void that holds the information but when i try to access it from other classes it doesn't work, i also tryied NSUserdefautls but i have been told that doing that is not safe so i gave up on that.
I tried keychain but i also managed to fail using that.
I really dont know what to do, can someone help me :)?
i just need a light in the end of the tunel here !haha
thank you very much.
The keychain is a good option for this, get Keychain wrapper code to make it easier.
Look for keychain helper software in CocoaPods, either add the pod or just copy the source files into your project.
You can use [NSUserDefaults standardUserDefaults] for this. But it is not a safe way to do this.
You can use third-party classes like Lockbox to store data in keychain securely. You can find more of these classes in CocoaPods.
Where can I find a good detailed tutorial using sskeychain to store and retrieve usernames and passwords and to do basic authentication in a UIWebView? Secondarily, am I on the right track as far as the methods needed to store and use authentication for a web based application? (See explanation below.)
I found a couple tutorials using different methods:
Interacting with keychain directly
Handmade keychain wrapper (sic)
SFHFKeychainUtils
According to recommendations from other SO questions below, sskeychain is recommended for an easier use of the keychain to store authentication parameters.
Cocoa interface to MacOS X Keychain
https://stackoverflow.com/questions/8381072/save-username-and-password-for-url-like-gmail-com-iphone
My plan is to store a username and password locally on the device in the keychain as recommended and connect over a UIWebView using basic auth to my PHP code. Is there a good step by step tutorial for xcode/Obj-C newbies on the topic of user authentication that would be recommended by experienced iOS developers?
The Apple documentation seems less than helpful. It's either pages with simple sales jargon or just head imploding descriptions of methods and parameters without many helpful examples.
Update:
I ended up just using NSUserDefaults to store the username and password locally and the AFNetworking library to do the authentication. If these are unwise I'd welcome an answer that supplies guidance on a better method.
Using AFNetworking to do the authentication and calls to the server is great! But I would highly discourage you from storing credentials (username and password) in NSUserDefaults, since the contents are stored in a plist as plain text and can be read just by plugging your device to a mac. I recommend you to check these other questions and great post of a well-known case for further details on the topic.
You were right going for Keychain and using SSKeychain is easy and fast. You can find this good example on how to use SSKeychain to locally store the credentials.
// Store credentials in Keychain
[SSKeychain setPassword:#"thePassword"
forService:#"com.yourCompany.yourApp"
account:#"theUserName"];
// Retrieve credentials from Keychain
NSString *password = [SSKeychain passwordForService:#"com.yourCompany.yourApp"
account:#"theUserName"];
If you want to do basic auth, you might be better off using a networking service like AFNetworking. They all you to create a webclient, pass in a username/password combination and they take care of the rest.
This link show you the exact method call you need to invoke:
http://engineering.gowalla.com/AFNetworking/Classes/AFHTTPClient.html#//api/name/setAuthorizationHeaderWithUsername:password:
There is also a large community and a bunch of examples of developers using AFNetworking in all types of iOS project.
I would recommend to you to use
Lockbox
It's lightweight, works with ARC and easy to use.
I've look around and saw some of the ways are to use NSUserDefault, keychain and singleton on xcode to create a session for users who login through the app. I've also ask my friend and found it was possible to create a session and store it in the database.
I'm still new to programming and such, so please do not be offended by my silly question. What I want to know is, among the method mentioned above, which is the more appropriate method to hold a session. Is it a must that the session be held in the app? Is it possible to be the using webservice to create a session and store it in the db. Or can the session only be created by the app? (confuse about this)
I would like to know which is the most practical and of course, not that difficult for a beginner to implement and tweak. Thanks for the advice.
I don't want to use NSUserDefaults as I have been told it's not a good way to save a username and password.
So I was going to use a Keychain, but I have never used them before. Can some one please just a give a quick example of one or point me in the direction of an example ? Thanks.
I Use the open source SSKeychain wrapper around the the C api used by the keychain.
It's convenient, easy to use, and works on Mac OS and iOS.
This is the best I have found till date... It five a very simple implementation of saving passwords and username to keychain. Please remember to include security framework in your project.
https://web.archive.org/web/20160305031351/http://iosdevelopertips.com/core-services/using-keychain-to-store-username-and-password.html
Keep in mind that this doen't work on simulator.
Can these files be easily encrypted to prevent users (with jailbroken iPhones) from modifying values?
What you're after is the Keychain api. Other apps on jailbroken devices can get TO your keychain values, but they're encrypted.
Here's a decent tutorial I just googled up.
You can use Secure-NSUserDefaults, it is a good way to prevent you plists from being changed.
You can get the code at: https://github.com/matthiasplappert/Secure-NSUserDefaults
Good luck!