0

I have an APi which requires a set of developers credentials (consumer key/consumer password) in order to call Register user web service to register a user.

I would like to call the register user web service method via a mobile device, but do not want to store the developers credentials (too dangerous, even if its encrypted)

how would you solve this problem?

001
  • 62,807
  • 94
  • 230
  • 350
  • 2
    @ShashankKulshrestha `NSUserDefaults` are stored as plain text on the file system of the iOS device. You should always use the keychain for password or tokens. – rckoenes Aug 19 '13 at 11:56
  • @rckoenes Not safe to store the developers credentials on the device itself. As for the token, we store this on encrypted the device's local database; if it gets compromised, thats 1 users account. If the developers credentials get compromise , it has access to all users on the platform! – 001 Aug 19 '13 at 12:00
  • See http://stackoverflow.com/questions/10990821/how-to-securely-store-credentials-password-in-android-application – Arun C Aug 19 '13 at 12:02
  • @001 I was reacting to ShashankKulshrestha comment. I agree that storing you developers token in the app will not be to save. But even if you don't than user can still catch the token when you connect to the server and send the token to the server. Thus unless the API has some solution you will not be able to solve your problem. – rckoenes Aug 19 '13 at 12:02

1 Answers1

0

On iOS, use the "Keychain", http://developer.apple.com/library/ios/DOCUMENTATION/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html.

On Android, there isn't presently an encrypted keychain, see related question Android Keychain for user credentials. By using the file system and storing your credentials in plain-text, you'd be relying on the underlying app sandboxing, which secures your files to some extent (only readable by your application), though certainly not on rooted phones ... so you'd need to weigh the risks here and choose accordingly.

Community
  • 1
  • 1
CSmith
  • 13,318
  • 3
  • 39
  • 42
  • 1
    The question is not about storing any data on the device, but supplying the key.secret of an API with in the apps code. – rckoenes Aug 19 '13 at 12:03