1

I'm working on an app that uses a certain webapp's API. The API requiers the (plain-text) user password to be passed on each call. As I'm unfamiliar with password best-practices (especially on mobile devices), I'm wondering what would be the best way and place to store the user password in my iPhone app. Any help is greatly appreciated.

Thomas K
  • 6,076
  • 5
  • 39
  • 56
  • 2
    Could we have the name of that insanely insecure API? Just so we (as users) can avoid the service? – jv42 Jun 09 '11 at 15:27
  • unless your connecting through an SSL Encryption, jv42 is right, it is pretty insane to be sending plane password. For encryptions using AES tho there is a pretty cool tutorial knocking around the web - if you want let me know. – theiOSDude Jun 09 '11 at 15:28
  • Luckily I'm connecting thru an SSL Encyption :) Tut sounds cool. Where can I find it? Basically I'm wondering where to securely store the password – Thomas K Jun 09 '11 at 15:33
  • Encryption is a hard concept, but at some point you may want to implement it. check out http://stackoverflow.com/q/538435/634132 for a starting point – theiOSDude Jun 10 '11 at 11:23

3 Answers3

5

If you're storing sensitive data, you should be using the keychain. The API is a pain to use, but there is some good sample code out there.

NSUserDefaults is easy to use but offers no encryption. If the user's iTunes backup isn't encrypted, you can just run strings on the right backup file to see your stored preferences in plaintext (I confirmed this last week). See this thread.

Community
  • 1
  • 1
pepsi
  • 6,785
  • 6
  • 42
  • 74
2

Don't use NSUserDefaults, secure storage of passwords is exactly what the keychain services are for.

Jim
  • 72,985
  • 14
  • 101
  • 108
-1

i store my encrypted password in NSUserDefaults. However, plain text passwords shouldn't go here as per my previous answer.

theiOSDude
  • 1,480
  • 2
  • 21
  • 36
  • No it doesn't, it is not intended for secure storage of passwords. You should be using the keychain services. – Jim Jun 09 '11 at 15:31
  • @jim, maybe i should have stipulated as per my comment on the question, that i use AES encryption, so i suppose storing this aes encrypted base 64 string is safe to store in NSUserDefaults. ? can i have my downvote upvoted please and ill amend my answer. cheers – theiOSDude Jun 10 '11 at 11:18
  • No, that's still not a good solution in several different ways. Firstly, why go to the trouble of doing the encryption yourself? That's what the keychain is for. Secondly, it's not secure. You need the key to decrypt. Where are you storing this? In the application bundle? Anybody with access to the App Store can get that. Thirdly, the keychain is more flexible - e.g. you can specify that its contents are only available when the device is unlocked. – Jim Jun 10 '11 at 11:35
  • Finally, it's a mistake to eschew a platform's purpose-built solution in favour of your own less functional alternative for a huge number of reasons. Seriously, the keychain is designed for *exactly this purpose*. – Jim Jun 10 '11 at 11:35
  • jim, sorry, the question was about sending to a web service, in my situation - i encrypt a given password in the app using an AES class, then send in a soap request to a web service that then decrpyts this using the same I.V and key. I was giving my view on how I handle my own similar situation. – theiOSDude Jun 10 '11 at 11:40
  • very little have broken through AES 256bit encrypted data - fact – theiOSDude Jun 10 '11 at 11:40
  • No, not very little, *nobody* has broken through AES 256. That is not relevant. The problem is that people use it incorrectly or inappropriately. – Jim Jun 10 '11 at 11:47
  • AES 256 is a symmetric cipher. You use the same key to encrypt and decrypt. If you are encrypting in your app, you have given an attacker everything they need to decrypt. – Jim Jun 10 '11 at 11:48
  • Furthermore, if all you need to access the web service is the encrypted value, you don't need the original password at all, you can just obtain the encrypted password and send that. – Jim Jun 10 '11 at 11:49
  • Finally, bringing it back to the original question: *"The API requiers the (plain-text) user password to be passed on each call."* - your approach can't possibly work here. – Jim Jun 10 '11 at 11:50
  • im seeing you point Jim, but explain how ' If you are encrypting in your app, you have given an attacker everything they need to decrypt ' – theiOSDude Jun 10 '11 at 11:57
  • Symmetric encryption uses the same key to encrypt and decrypt. If you bundle the key in the app so that you can encrypt the data, anybody can just pull it out of the bundle and use it to decrypt the data. – Jim Jun 10 '11 at 12:03
  • yeah I understand that, the key is text within a class though - hardcoded, but i do see your thorough point Jim - +1 on your answer.cheers – theiOSDude Jun 10 '11 at 13:47
  • It doesn't matter if it's hardcoded within a class - see my answer to [this question](http://stackoverflow.com/questions/6305808/is-it-possible-to-trace-back-a-string-inside-an-ipa-binary/6305858#6305858). – Jim Jun 10 '11 at 14:24