1

I have a iOS application that I'm developing and the application must be bundled with a certificate in order to use the application since it makes use of webview and the site can not be accessed without the certificate.

I currently have a working solution but I noticed that when unzipping the .ipa file and looking into the code, I can see the password for the certificate very clearly as you can see from this line from the compiled code:

lastSampleTimeMainjsbundlecertificatep12PASSWORDHEREGCDAsyncSocketErrorDomain

A short code snippet of how I am retrieving the certificate:

[[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];
 
 NSData *p12Data = [[NSData alloc] initWithContentsOfFile:p12Path];
 CFStringRef password = CFSTR("somePassword");

Is there any safe way to handle this type of scenario? Or will the password always be retrievable if it falls into the hands of someone who knows what he's doing.

SmalliSax
  • 342
  • 3
  • 6
  • 24
  • May be dummy question but why do you need the password if you have the certificate ? – Ptit Xav Oct 21 '22 at 10:08
  • Use keychain services to enable simple, secure storage for users’ passwords. In this way you avoid repeatedly asking the user for a password, and you don’t have to implement your own encryption, which can be error prone. https://developer.apple.com/documentation/security/keychain_services/keychain_items/adding_a_password_to_the_keychain – Sourabh Shekhar Oct 28 '22 at 12:27

2 Answers2

2

Use the Keychain API.

https://developer.apple.com/documentation/security/keychain_services

That's the standard way to protect API_KEYS, Certs., Even Username and Passwords.

It's simple and compatible with Objective-C

EDIT: For Certificates: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates/storing_a_certificate_in_the_keychain

Allan Garcia
  • 550
  • 3
  • 16
1

A simple solution might be to just obfuscate the string, creating the password string from a byte-array, but that's still not very safe.

Some explanation here.. also to consider, loading the password to a string should be avoided, as it could be read from the heap at runtime: https://stackoverflow.com/a/8881376/20283130

MJG
  • 355
  • 1
  • 9
  • I have tried to go different ways by encrypting the string and decrypting during runtime and even converted it to byte array but the compiled code always shows the password in cleartext afterwards after it has been loaded with the certificate. I'm starting to think that there is no "safe" way to go about this – SmalliSax Oct 26 '22 at 13:33
  • 1
    @SmalliSax I don't think you can see the clear text of the password in complied code, if the password was converted to byte array. Did you make some mistake? – user2027712 Oct 27 '22 at 07:16
  • Could you try to clean the complete build product and build again, please? Also search the whole project fully for the string, as it could be taken from some other place as well, even tough you seem to try with different strings already, right? – MJG Oct 27 '22 at 14:51
  • I might well have made some mistake but what struck me as an odd thing is that even though I encrypted the string and decrypted it at the same time the password always came in cleartext in the compiled code. I made sure the password was not being save elsewhere. What I managed to do however was to encrypt the string with a encryption library, take the output and then use that to decrypt it in the app. So the only visible string is now the output from the encrypted string if that makes sense. At least its a little more secure that way – SmalliSax Oct 27 '22 at 21:20
  • It could be that when your code computes a string from the array, eventually the compiler would optimize and 'resolves' the operation to directly reflect the final string. Indeed it is better to *never* load a clear-text password to a string. The proper solution could be the suggestion to use the Keychain API, if that isn't too over-engineering for your purpose. – MJG Oct 30 '22 at 08:49