CODEWITHSUNDEEP
iossecurity
raaz
raaz

Reputation: 12490

Erase keychain data if device is jail broken

Currently i have an application which has a "Remember Me" option for storing User ID.So to store this currently i am using Keychain APIs.

But i have a doubt if by chance device is stolen and somebody jailbreak the device. Can he able to get all these data from keychain?

How to prevent this ?

Upvotes: 11

Views: 2690

Answers (4)

Zeeshan
Zeeshan

Reputation: 586

Check this link Keychain Items, where you can enumerate all keychain items.

You can also use Protection Attributes for securing info.

Apple Docs

Good Read

Upvotes: 0

l0gg3r
l0gg3r

Reputation: 8954

Here is the best way for checking if Device jailbroken

Code that checks

bool forked = fork();
if (forked) {
    // Device is jailbroken
}

Upvotes: 0

Segev
Segev

Reputation: 19303

To be extra safe I'd add another layer of security on top of everything and make a simple check if the device is jailbroken. If that's the case I'd delete the current KeyChain \ sensitive data.

Something like that:

NSString *filePath = @"/Applications/Cydia.app";
if ([[NSFileManager defaultManager] fileExistsAtPath:filePath])
{
   //Device is jailbroken --> delete KeyChain
}

Or even better:

FILE *f = fopen("/bin/bash", "r");
BOOL isbash = NO;
if (f != NULL)
{
    //Device is jailbroken --> delete KeyChain
    isbash = YES;
}
fclose(f);

Upvotes: 2

Léo Natan
Léo Natan

Reputation: 57040

The most important thing when using the KeyChain is to not use kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly because then data is not encrypted securely (see Apple's documentation). Not using these adds a layer of security to KeyChain data, but still, a strong passcode would be required by the user to protect his data. If the user has no passcode on the device, the data is unprotected. If the user has a 4-digit passcode (the standard), the data is protected very weakly and can be brute forced in minutes.

If you require protection from jailbreak (and other attacks), your best option is to not use the KeyChain, but create an encrypted sensitive data store of your own and require the user to have a secure passcode. Store the data encrypted using a key generated from that passcode.

This could inconvenience your users, so if you wish to provide a grace period between requiring passcode, think of a way to provide a session cookie to the app which is invalidated after a set period of time.

Upvotes: 8

Related Questions