Storing authentication token on iOS

Question

I am building an iOS application and the user authenticates with my web service. I don't want them to login every time the app launches (the token lasts a month). So I'd like to cache this on the device somewhere.

What's the best way to do this, securely?

Can I just rely on the app remaining suspended and keeping the token in 'memory'?

You may want to look at OWASP guidelines as well - https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet — rajagp, Jul 06 '15 at 15:25

score 24 · Accepted Answer · answered Oct 03 '12 at 19:20

2 options

Make use of NSUserdefault(store as access token or textfield inputs[Remember me option])
Keychain access(recommended) for doing the job.

NSUserdefaults is not secure for storing such credible values which is for authentication purpose.Keychain on the other hand is made to do this,safe and secure.

score 13 · Answer 2 · answered Oct 03 '12 at 15:59

13

You can't rely that iOS will keep your application forever in the memory. So, you have to save the token to persistent storage at some point.

Look at Keychain Service for iOS. This is the best place to store things like passwords, tokens and other keys.

answered Oct 03 '12 at 15:59

Victor Ronin

22,758
18
92
184

But what if the credentials are in the remote DB and he doesn't want to store those credentials locally? Does the need to use Keychain anyway to save the token or something like that? – Juan González Oct 16 '12 at 14:59
3

No. You don't have to store anything in Keychain. It's up to you where do you want to store any secret. However, let say you store credentials in remote DB. Now the question is how does your application authenticate to remote DB? If it will store hardcoded username/password then anybody can decompile your app, get username/password for remote DB from it and use it to get real credentials. So, at the end you will need to store something on your device and Keychain Service is common and reasonably secure way of doing it. – Victor Ronin Oct 16 '12 at 16:22

Josh · Answer 3 · 2014-01-22T22:59:48.263

9

You can't do it "securely." A token is public knowledge, and as soon as its on your device a hacker could gain access to it no matter what you try to do to protect it. Putting it in the keychain won't change this fact. Even if you store it there, which would make it secure while it's in there, they can simply wait until it expires then snag the next one when it comes in over the wire next time. Your access tokens aren't the thing you need to worry about securing, because you can't, in fact, do that in a mobile environment.

What this means is that you can store it anywhere you'd like. NSUserDefaults is fine, the keychain is fine, a database is fine, a text file in your documents directory is fine. All of them are equally secure because a determined hacker can simply wait for the right opportunity to access the data they want. You should instead worry about securing your users' authentication credentials. Make sure you store those in the keychain, and only ever communicate with your API over HTTPS to a server with a valid SSL certificate.

edited Jan 22 '14 at 22:59

answered Jan 17 '14 at 21:39

Josh

213
2
5

21

While I agree that a compromised device or connection will make most things insecure, security works mostly by making it, very, hard for an attacker to gain access to information or break something. With this in mind it makes sense to save the more sensitive information in a secure environment (such as the iOS Keychain). Surely a determined hacker will probably be able to defeat it, but a less determined one won't and that is a win. – lm2s Feb 04 '16 at 10:55
1

While i agree, what you say is true most of the time - you are better off putting this thing into keychain, and save yourself from of explaining it to other people. – user1244109 Aug 30 '18 at 13:48
3

Obscurity is no security! – Murat Yasar Nov 27 '18 at 11:36
1

@Josh How would a hacker snag the refreshed token under an HTTPS connection (with a valid SSL certificate)? I thought it's possible on browsers, but impossible for iOS. – allenlinli Apr 15 '19 at 04:55
1

You can do this yourself with software like Charles @allenlinli. In any case, just because "a determined hacker can get it no matter what" absolutely does not entirely devalue making it more difficult (or particular) to do so. It's not only a matter of IF someone could intercept the key, but also how many people can and would do so. Each established best practice will filter that pool down towards the few and highly skilled, reducing both likelihood and frequency of it actually happening. – Chris Dec 15 '21 at 20:28
It bothers me that this comment says "It's not secure" in the keychain or wherever you put it, and then proceeds to say that you should put passwords in that place. An access token is essentially a temporary password. You should NOT store passwords/tokens in UserDefaults EVER. Really the only thing I agree with here is that you should always communicate over HTTPS with a valid SSL certificate. – Connor Dec 16 '21 at 11:24

Storing authentication token on iOS

3 Answers3

Linked