0

I'm building an app which communicates with a web service I have developed. The app gets authenticated to the web service using basic auth. The username and password are stored as string variables in my code.

This doesn't feel very safe. Is it possible for someone to extract the password and username strings from the .ipa file? If it is, how should I store these strings?

rodskagg
  • 3,827
  • 4
  • 27
  • 46
  • Not sure why the previous comment was removed. This is the way you should do it - http://stackoverflow.com/questions/6972092/ios-how-to-store-username-password-within-an-app – Sam B Feb 20 '16 at 15:10
  • @SamB To be clear, I do not want to store username and password entered by the user. I have a hardcoded username and password in the app, used to authenticate against my web service. – rodskagg Feb 20 '16 at 15:56
  • its the same thing. Any username and password you store in your app should be stored in keychain and not in NSUserDefautls whether you provide it or the user. Just a FYI, since you will have to "set" one on first app launch i.e. you will hardcode it in the code itself, anyone can hack your ipa file and "read" the text out of it. At that point it makes no difference if you set it in userdefaults or keychain – Sam B Feb 20 '16 at 16:26
  • http://reverseengineering.stackexchange.com/questions/1594/possibilities-for-reverse-engineering-an-ipa-file-to-its-source – Sam B Feb 20 '16 at 16:32

0 Answers0