3

I need to code in authentication information for specific parts of my website into my app. Is it at all possible for the app to be "decompiled" and the username and password exposed?

NSURL *url = [NSURL URLWithString:@"https://predefinedUsername:predefinedPassword@www.website.com"];
Jack Humphries
  • 13,056
  • 14
  • 84
  • 125

4 Answers4

6

Yes, it is possible. Assume that if you have anything compiled into your app, it can [and will] be discovered by someone somewhere. Even if it isn't possible today, you are creating a frozen record of such information that will be vulnerable to any future attacks, known or unknown.

You really need the user to perform some task that authenticates them. There are a million and one ways to do that, and for every one of those, a million and two ways to do it wrong. :)

Without knowing more about your specific requirements, it is impossible to really say much more outside of "keep it simple and don't store or send anything in clear-text".

bbum
  • 162,346
  • 23
  • 271
  • 359
  • Thanks a lot for your help. Do you have any idea how more popular apps, especially magazines do it? The content is downloaded from a secure website, and won't the username and password be the same every time? Why can't people decompile the app and download issues for free? Or am I looking at this the wrong way? Thanks. – Jack Humphries Mar 28 '12 at 20:20
  • 1
    @JackHumphries Available options vary by platform. If instead of having a single, hardcoded account shared by all instances of the app you instead have a per-purchase token, creating a new account on the backend per paid purchase (which can be revoked if abused/shared/refunded), that would be a start. I know only a little something about the Android Market and nothing at all about Apple's App Store infrastructure, though, so I couldn't give you any more specific hints. – Charles Duffy Mar 28 '12 at 20:28
5

As @Hyperbole said, If you store the username and password in plain text it will be visible in the executable. It is extremely trivial to examine the executable for strings, and it's usually the first thing someone with malicious intent will try.

Right click on any app you've downloaded in iTunes and select show in finder. Make a copy of the app on your desktop and rename the app from AppName.ipa to AppName.zip. Double-click to unzip it, and look inside the folder. Navigate to the folder Payload and then right click on the (probably only) file in there called AppName that looks like an application but has a big circle with a cross through it for the icon. Select show package contents. Scroll through until you find a file called AppName with no extension and a blackish rectangle with the green word "exec" as an icon. Open that file in text edit or another text editor. You'll find that most of this ends up being random symbols and other crap, but you should occasionally see some plain text. The compiler takes string constants and embeds them directly in the app when you compile it in most cases.

You asked about what magazine apps and others do to access content - There are a ton of different ways to do it but off the top of my head, after the server verifies your in-app purchase receipt, the server would record an identifier specific to your iTunes account, saying that you've purchased a specific issue of the magazine. Then your app can request that file from the server, adding the identifier to the request in the process. The server would respond with the file once it looks through the database and determines that you've purchased the content.

Other solutions include signing/hashing a unique key.

Jack Lawrence
  • 10,664
  • 1
  • 47
  • 61
2

Your example would expose the username and password without the need to decompile as you send it via plain text in a URL request. Anyone with a sniffer or MITM service yould snatch it out of the air. A better approach would be to make use of SSL via the http*s* protocol. You could go a step further and either prompt at runtime for the credentials and/or store an encrypted version within the app.

Cliff
  • 10,586
  • 7
  • 61
  • 102
  • Thanks. All information will be sent over SSL. Could you please further explain what you mean when you said to store an encrypted version of credentials within the app? How would I decrypt them when they need to be sent to the server? Thanks a lot. – Jack Humphries Mar 28 '12 at 20:31
2

This is very bad because it is trivially easy to recover these credentials just by running 'strings' against the app binary without needing to decompile it.

Can't you pop up a dialogue box asking the user to enter the credentials when they first start the app ? Alternatively you could store them encrypted in a file and then ask the user for an alternative credential e.g. Passcode that derives the key but even this will not survive a determined attack unless the Passcode is long.

Andrew
  • 993
  • 9
  • 11