0

I would like to store username, password, auth token in my iOS app so that I can connect to my db, perform operations etc. I notice that the recommended way is keychains. The reason for this is that a malicious hacker if got your ipa by jailbreaking or something else can read your code and look at the username/password.

But my question is once the user logs in and I save their username and password in keychain, I set the credentials in the code itself so how is this secure? If a hacker gets an ipa and opens up the code, they will see where I'm setting the password anyway or if there a place to store this so no one can really see it.

I have been reading a lot about how secure keychain is and I definitely agree it is, but setting the value in keychain has to be done in the code itself which worries me if someone gets the code and can see it.

Reference: https://medium.com/ios-os-x-development/securing-user-data-with-keychain-for-ios-e720e0f9a8e2

fscore
  • 2,567
  • 7
  • 40
  • 74
  • Data that is provided *by the user* such as usernames & passwords is only stored in the keychain (and in memory while you are using it), so it is reasonably secure. Data that you need to ship with your app (such as an API key) can only be obscured; it can't be protected against a determined attacker. The recommended model is that your app uses user-provided credentials against your server and your server code holds any required API keys to make requests on your app's behalf – Paulw11 Jun 01 '17 at 02:34
  • Also take a look at [Keychain Dumper](https://github.com/ptoomey3/Keychain-Dumper) on GitHub. I use it during security evaluations of iOS apps. You should not store the password; and be careful about storing the token. – jww Jun 01 '17 at 04:35
  • @jww to be fair you need to evaluate the security of the keychain in the context of the application and the data you are storing; Keychain dumper requires physical access to the device and that the device be jailbroken. If a device is secured by a passcode then it will be reasonably secure against a keychain dumper attack by a thief. If the password being stored is the user's own password then there is no reason for the owner to use keychain dumper on their own device and using the keychain gives considerable convenience to the user. – Paulw11 Jun 01 '17 at 04:40
  • @Paulw - I guess it depends on security policies and risk adversity. For the firms I work with in US financial, if you store the password, then you will likely fail a security evaluation. They have standard operating procedures that forbid the practice. It does not matter to the firm how the bad guy gets the sensitive information, like JB'ing a device. – jww Jun 01 '17 at 04:43
  • As I said, you have to evaluate in the context of the application and your requirements. I think it is too broad to say "you should not store the password", because that is a policy that applies to your industry/firms. In Australia, for example, banking apps routinely store a credential in the keychain which is accessed via a PIN or TouchID (I presume it is a token rather than a password, but it is still a credential). The banks here will have evaluated the risk vs the convenience in order to arrive at a policy. – Paulw11 Jun 01 '17 at 04:47

1 Answers1

0

You can add an extra layer of protection by detecting if App is running on a jailBroken phone How do I detect that an iOS app is running on a jailbroken phone?

Also keychain provides protection to passwords or private keys as the data is encrypted.

An application can access only its own keychain items, or those shared with a group to which the app belongs.

https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html

Mohamed Mostafa
  • 1,057
  • 7
  • 12