Reputation: 3160
How to safely store credentials entered in Application Preferences?
My iPhone App connects to a web service using a username and a password.
I prefer to save the credentials in the Application Preferences (settings bundle) like the Mail App. Is this secure enough? Is it possible to save those values to the keychain (via Application Preferences)?
Edit:
I want my users to enter their credentials in the Application Preferences of my App. Normally, I can retrieve this data in my app with NSUserDefaults. But Application Preferences saves the data as plain text and it's neither encrypted nor hashed. Is there a safe way? Eg. I know the keychain on the iPhone and I find it great! Can I use the keychain to hold the credentials entered in Application Preferences?
Food for thought: How does Apple do it? I mean, when I want to use the Mail App, I provide my username and password in the Application Preferences. Are those values stored as plaintext?
Upvotes: 6
Views: 1573
Answers (6)
Reputation: 51
Apple owns the entire OS and of course the Mail app. They are using features outside of the public SDK, because they can. How do you think the Mail app can run in the background and keep checking for your mails? Normal app can't achieve this :(
Back to your main question, using keychain is the right way to go. But you probably have to disallow users to enter username & password in Application Preferences. There is no way to secure that.
Upvotes: 0
Reputation: 1616
It seems that many people do not seem to understand your question. Unfortunately I can not find the answer myself. The question is how do you use the keychain AND NSUserDefaults at the same time. I too would like to use the NSUserDefaults interface. Hopefully we can figure this out...
One option would be to store just the username. Then when the app starts if there is no password in the keychain or if there is a wrong password in the keychain--ask for a new password.
Upvotes: 2
Reputation: 70733
You can remove items from NSUserDefaults when your app runs after the user uses Settings to enter them into the app's Application Preferences. Then put them into the keychain. But these items may be in plain text in storage in the interim(depending on which iPhone model, some may encrypt the flash storage and the backups), before you can remove them from NSUserDefaults.
Upvotes: 0
Reputation: 2674
Did you check the keychain documentation? On the security, see this white paper by the Fraunhofer SIT institute.
Upvotes: 5
Reputation: 17877
You can save it securely using Security.framework.
It is very nice sample from Apple where many aspects of using that framework are discussed. I advice you to look through it. Here is the link to that sample: GenericKeychain
This sample shows how to add, query for, remove, and update a keychain item of generic class type. Also demonstrates the use of shared keychain items. All classes exhibit very similar behavior so the included examples will scale to the other classes of Keychain Item: Internet Password, Certificate, Key, and Identity.
Upvotes: 2
Reputation: 8667
Keychain Services will be required for secure storage. Using NSUserDefaults will not secure your data.
Upvotes: 2
Related Questions
- iOS: How to store username/password within an app?
- How do I store a password in Cocoa preferences?
- Save (Private) Application Settings on iOS?
- What is the best way to maintain the login credentials in iOS?
- Proper way to store username and password in iOS application
- How to store variables away from user access on iOS App
- Storing iPhone application settings in app
- Storing passwords in iPhone applications
- iPhone App : Storing / Saving personal preferences once per App
- What is the best practice to store username and password on the iPhone?