I am trying to store a username and password to hash against for future offline logging in. What is the best way to do this in objective c?
I will need the password to be stored securely.
Well, you can either create a file and store the information there, or you can put it in NSUserDefaults. I guess it depends somewhat on what your program does and how you really want it to work. If you're trying to store sensitive information (like plaintext passwords), you can use Keychain Services.
Use Keychain services (or keychain services for iPhone)
Related
What is the best way to save data (e.g. passwords) which the user can't manipulate or see? NSUserDefaults are getting saved in a file on the Mac which the user can manipulate and see. How about Core Data? Is this also saved in a file or is there a way that the user can see the Core Data?
NSUserDefaults definitely shouldn't be used to store passwords because it is stored in plain text. Core data can be encrypted, but it isn't by default. It stores all of its data in a SQLite database which is really easy to read. Passwords should be stored in the system Keychain. The keychain can be accessed with the Security Framework.
There are several libraries out there that make using the keychain much easier, eg: Locksmith or Valet.
In addition to #esthepiking's suggestion to use Keychain, be aware that implementing your own encryption to store passwords might create obligations for you to provide more paperwork under the App Store's "Export Compliance" requirements. See this post.
You can see this link to get the example to use ios Keychain Services to store and retrieve user name and password securely
I am developing an app and need a way to securely store API secrets and IDs. I understand that storing these strings directly within source-code is insecure as the code can be decompiled by hackers. I was wondering what the best way of hiding and securing these strings is and whether there is standard practise for doing such? I know this
From my own research I understand that hashing only allows a one-way encryption for verification of a string and that encryption allows two way encryption/decryption via the use of an encryption key. Therefore it may be necessary to hide the encrypted keys and their string's within a file.
Thanks
D
The place to save keys and API secrets is the App Keychain.
The keychain is designed to store secrets in a secure encrypted manner, there is no better way in iOS.
See iOS Keychain Services Tasks.
There are many source on SO of how to access the keychain.
Alright, I was using the keychain API provided by the Security.framework to store the passwords for the user accounts in my app. Unfortunately, the keychain API doesn't integrate well when your app is distributed via Cydia, and resides in the /Applications directory because the login process appears to be broken.
I decided that I would just encrypt the the pin the user inputs into the pin text field, and store the pin as a hash in the Core Data database. I know this isn't as secure as using the Keychain API, but I want to finish / release my app sometime this year. So I added the necessary objects to the necessary classes to be able to store the pin in the database. So my question is, why datatype should I use to store the password hash in the Core Data database. I assuming a String would be the necessary choice, but just wanted to confirm with the SO crowd.
Here's a picture of what I am talking about,
Use the Core Data NSString. Depending on what hash method you are wanting to use it will most likely be an alpha-numeric string.
Binary would be for pictures and stuff like that.
What is the best way to store an in-app-purchase on a device,
so that the purchases can also be accessed offline but
the security of the purchases are not compromised?
Do not store anything valuable on the device as it cannot be trusted and it can easily be compromised by someone motivated.
Now, all of this depends on the type and value of the item that is being purchased and what happens if its compromised.
If its truly valuable then use a remote secure server for managing secure items. In app purchases include a receipt that can be verified by your remote secure server talking to apple's servers directly through a secure connection. See this link to verifying store receipts.
As far as I know, the most convenient way to securely store a purchased asset would be to use some form of encryption.
The user should be able to download an encrypted asset, and the app should decrypt it on the fly.
However, make sure that you store the key in a secure fashion as well, as string keys (within the app binary) can easily be recovered by a skilled hacker. A good way to secure the key would be to use some sort of authentication with a server-based system. The app would get the key off the server and keep it only for the few moments required to decrypt the asset.
This defense mechanism is not impregnable; I feel that it is sophicaticated enough to discourage most users from attempting to undermine it.
To decrypt your assets on the device, a good idea would be to use CommonCrypto. It's provided by Apple (with the iOS SDK), so you don't have to build it from scratch and you don't have to provide documentation (required by US law) for your app. I find Jim Dovey's Common Crypto wrapper the easiest way to use it.
Hope that helps. :)
You'll want to encrypt the file, for which your best bet is probably Common Crypto. In order to be able to access the data offline, you need to store the encryption key on the device.
The solution is to use the keychain: Use SecRandomCopyBytes to generate a key of sufficient length, and store it in the keychain using SecItemAdd. Then use that key to encrypt the data and write it to the device's local storage in the normal manner. When it comes time to read the file back from disk, use SecItemCopyMatching to load the key from the keychain and use it to decrypt the data.
i am currently trying to secure my Objective-c application with a password. What I want is a window(or similiar..) popping up whenever the application is launched. Only if the password is right shall the user be able to use the program.
How to encrypt the string properly? I don't want any user to be able to extract it from the content files. Even though the user should be able to change it once he "logged in".
Thanks in advance.
I am asking for a hint only :)
Whenever you want to store sensitive information such as passwords, use Keychain Services.
You can create an md5-hash of the password and store that in a file. If someone else opens this file and sees the hash, it almost impossible to reformat it back to the original password. Now when the user enters a password in your application, make an other md5 hash from that one, and compare if that hash is the same as you stored in the file.
man 3 md5 for creating md5 hashes on Mac with C code. I don't know any Objective-C wrapper for that, but it should be easy to create it yourself.
Hope it helps,
ief2
EDIT: Keychain Services is indeed the more "standard" solution