Best Place to Store Included AWS Credentials in an iOS Application

Question

I plan on using the AWS SDK for iOS for an upcoming project. I need to store credentials for AWS with the packed application. Where is the most secure place to place them? I know that storing them in a pList would be a bad idea. Is it better to just 'hard-code' it into a class that will be compiled? Is there any risk there?

Answer 1

I believe that completely hiding the credentials is theoretically impossible. That is, if your compiled code can read them, then in theory so can anyone with access to the compiled code. But imperfect security is still worth something. I'd guess that most attackers would just look through the binary for strings that look like secret keys, and not go to the trouble of decompiling the code and trying to interpret how it works, so one way to hide the credentials would be to store them in an encoded form, then decode them as needed. This way the decoding algorithm becomes your key, and an attacker would have to find and understand it to extract your credentials.

Here's a fairly simple way to do it using a random XOR mask. Replace the following bogus password with yours, and remember to keep the NULL terminator (\0) in place. Compile and run this code as a standalone program:

#include <stdio.h>

#define PAD_LENGTH 32

int main() {
  int i;
  char c;

  // start with the password
  char password[PAD_LENGTH] = "My AWS Password\0";

  // make a random pad to encrypt it
  printf("PAD:\n{");
  char pad[PAD_LENGTH];
  for (i = 0; i < PAD_LENGTH; i++) {
    c = arc4random() & 0xFF;
    pad[i] = c;
    printf("%#02x", c & 0xFF);
    if (i < PAD_LENGTH - 1) printf(",");
  }
  printf("}\n");

  // make an encrypted version of the password
  printf("KEY:\n{");
  for (i = 0; i < PAD_LENGTH; i++) {
    c = pad[i] ^ password[i];
    printf("%#02x", c & 0xFF);
    if (i < PAD_LENGTH - 1) printf(",");
  }
  printf("}\n");

  return(0);
}

Then copy the generated pad and key into code like this (which will actually get included with your app):

#define PAD_LENGTH 32

char pad[PAD_LENGTH] = {0x83,0x26,0x8a,0x8b,0xee,0xab,0x6,0xed,0x2e,0x99,0xff,0x23,0x7f,0xef,0xc8,0x8,0x6b,0x8e,0xa4,0x64,0x6d,0xb,0x7,0xd2,0x6a,0x39,0x60,0xa4,0xa9,0xad,0xea,0xb8};
char key[PAD_LENGTH] = {0xce,0x5f,0xaa,0xca,0xb9,0xf8,0x26,0xbd,0x4f,0xea,0x8c,0x54,0x10,0x9d,0xac,0x8,0x6b,0x8e,0xa4,0x64,0x6d,0xb,0x7,0xd2,0x6a,0x39,0x60,0xa4,0xa9,0xad,0xea,0xb8};
for (int i = 0; i < PAD_LENGTH; i++) {
  key[i] = key[i] ^ pad[i];
}
NSString *password = [NSString stringWithCString:key encoding:NSASCIIStringEncoding];

Since this is on a public forum, you might want to change a few things, like making the pads a different length, splitting them up and rejoining them with code, reordering them, etc. You could also store the pad and key in distant parts of the code. A truly skilled and dedicated attacker is going to be able to find your password no matter what, but the basic idea is that most people scanning the binary for a password will not find it as such.

Answer 2

Have you looked at the Data Protection API?

What are the new "iOS data protection APIs"?

There are various options depending on your security needs.

This question may help also.

Data Protection on iOS

The video from a conference this year was useful.

http://developer.apple.com/videos/wwdc/2010

Answer 3

you should use AWS Identity and Access Management (IAM): http://aws.amazon.com/iam/

you can find more information about AWS Credential Management in Mobile Applications on http://aws.amazon.com/articles/4611615499399490