2

If I have a password variable that is used for remote SSL authentication, is it secure to store in the source code?

e.g.

NSString * password =  @"password";

Are there better way?

Update: Sorry for confusion, I am not storing the user password, instead, I am storing a password that is used to call our own backend, all the app will use the same password.

Howard
  • 19,215
  • 35
  • 112
  • 184

3 Answers3

2

My new answer:

Try not to use static passwords to access the back-end, period. What happens if somebody you don't want determines what that password is. Why not use usernames & passwords?

You can also consider using a public key or embedded certificate to allow only your app access to the back end servers.

My original answer:

Sounds like you want to get to know the Keychain.

Here's a tutorial that talks about it:

http://maniacdev.com/2011/07/tutorial-how-to-use-the-ios-keychain-to-store-names-and-passwords/

And here is a related question that talks about the security of Keychain under iOS.

You shouldn't have programs a store static password for all users, but instead have each user set up his/her account & password for authentication and then store that stuff in the keychain.

Community
  • 1
  • 1
Michael Dautermann
  • 88,797
  • 17
  • 166
  • 215
  • I have updated my question, I am not storing user password, instead, I am storing a password to call our backend, user don't know it. – Howard Mar 09 '12 at 09:27
  • It would have been nice if your original question was a bit more clear to begin with. I've amended my answer. – Michael Dautermann Mar 09 '12 at 09:39
  • Thanks! But even using a public key, is it easy to be detected by user, I am just thinking if there are better method to hide it some where in the code. I don't need to have a perfect way to do it, just better than storing as a string would be ok. – Howard Mar 09 '12 at 09:52
  • @Howard :I am also stuck up with the same issue .Did you find any way to hide the string inside your code? – ArunMak Sep 19 '13 at 09:31
1

Any text contained within your application is easily extractable. There's no real way around this - using the strings tool, anyone can see any and all text content statically embedded into your app. However, there are some ways around this - notably, if you split up your string into several static strings and concatenate in the right order, it will be much more difficult to reverse engineer the password contained in your app.

I recommend you take a look at a similar question (How Safe is Information Contained within iPhone App Compiled Code), and specifically, my answer to that question, for a more in-depth explanation of what I mean. (Nimrod's comment on that question is also interesting.)

Community
  • 1
  • 1
Itai Ferber
  • 28,308
  • 5
  • 77
  • 83
0

NO!

build your app. Go to the terminal and type strings and then drag your executable to terminal and press return... You'll see your secret password in plain text :)

You should store its hash.

Pooria Azimi
  • 8,585
  • 5
  • 30
  • 41
  • I have drag the executable into the `strings` terminal but it keep loading, nothing can be seen.. – Howard Mar 09 '12 at 09:50