CODEWITHSUNDEEP
iphoneobjective-ciosxcodeipad
Howard
Howard

Reputation: 19805

Protecting sensitive information in Objective C source code

If I have a password variable that is used for remote SSL authentication, is it secure to store in the source code?

e.g.

NSString * password =  @"password";

Are there better way?

Update: Sorry for confusion, I am not storing the user password, instead, I am storing a password that is used to call our own backend, all the app will use the same password.

Upvotes: 2

Views: 1924

Answers (3)

Itai Ferber
Itai Ferber

Reputation: 29764

Any text contained within your application is easily extractable. There's no real way around this - using the strings tool, anyone can see any and all text content statically embedded into your app. However, there are some ways around this - notably, if you split up your string into several static strings and concatenate in the right order, it will be much more difficult to reverse engineer the password contained in your app.

I recommend you take a look at a similar question (How Safe is Information Contained within iPhone App Compiled Code), and specifically, my answer to that question, for a more in-depth explanation of what I mean. (Nimrod's comment on that question is also interesting.)

Upvotes: 1

Michael Dautermann
Michael Dautermann

Reputation: 89509

My new answer:

Try not to use static passwords to access the back-end, period. What happens if somebody you don't want determines what that password is. Why not use usernames & passwords?

You can also consider using a public key or embedded certificate to allow only your app access to the back end servers.

My original answer:

Sounds like you want to get to know the Keychain.

Here's a tutorial that talks about it:

http://maniacdev.com/2011/07/tutorial-how-to-use-the-ios-keychain-to-store-names-and-passwords/

And here is a related question that talks about the security of Keychain under iOS.

You shouldn't have programs a store static password for all users, but instead have each user set up his/her account & password for authentication and then store that stuff in the keychain.

Upvotes: 2

Pooria Azimi
Pooria Azimi

Reputation: 8633

NO!

build your app. Go to the terminal and type strings and then drag your executable to terminal and press return... You'll see your secret password in plain text :)

You should store its hash.

Upvotes: 0

Related Questions