how do you protect an outside web service password stored in an iPhone app?

Question

I'm concerned about a password to an outside service on the web that I now hold as a clear text string in my iPhone app. The problem is if a hacker buys the app and downloads it into a jailbroken phone. He can inspect the binary code to extract the password string and cause havoc.

I'm sure this is a common problem and has a common resolution but I'm mentally blocked on how to protect the string. If I utilize some form of encryption won't I then open a can of worms for disclosure re international laws regarding encryption ? Anyway, as the decryption would be done programatically within the app in order to use the password, that can be reverse engineered.

What is the recommended route here ? Thx.

Answer 1

The answer is clear once stated. But it was not for a long road of thought. The web service password was needed by the app before it could retrieve anything from the net. Even if it were to be put into the keychain it was in clear text in the app bundle, ready for pleasure seekers looking for the password prior to being first run.

The answer was to encrypt the web service credentials at the desktop and put the encrypted string into the app, which could then be decrypted later when needed fo use. This removed it from being inspected as clear text by a jailbroken phone prior to ever running the app.

Answer 2

Save your password in the Keychain (documentation linked for you).

Never in NSUserDefaults (where everything is in the next best thing to clear text).

Here is a tutorial with some useful info that you can get more information from.