All geek questions in one place

How to safely store the credentials entered in the application settings?

My iPhone App connects to the web service using a username and password.

I prefer to save credentials in the application settings (set of parameters), for example Mail App. Is it safe enough? Is it possible to save these values ​​in the keychain (using the application settings)?

Edit:

I want my users to enter their credentials in the application settings of my application . Usually I can get this data in my application using NSUserDefaults. But Application Preferences saves the data in plain text and is not encrypted or hashed. Is there a safe way? For instance. I know the keychain on the iPhone, and I find it wonderful! Can I use a keychain to store the credentials entered in the application settings?

Food For Thought: How Does Apple Do It? I mean, when I want to use Mail App, I provide my username and password in the application settings. Are these values ​​stored in clear text?

+6
source share
6 answers

Have you checked the key binding documentation? For safety, see this white paper at the SIT Fraunhofer Institute.

+5
source

A firewall is required for secure storage. Using NSUserDefaults will not protect your data.

+2
source

You can safely save it using Security.framework .

This is a very good sample from Apple, where many aspects of using this structure are discussed. I advise you to review it. Here is a link to this sample: GenericKeychain

This example shows how to add, query, delete, and update a keychain element of a generic class type. Also demonstrates the use of common keychain elements. All classes exhibit very similar behavior, so the included examples will scale for other Keychain Item classes: Internet Password, Certificate, Key, and Identity.

+2
source

It seems that many people do not seem to understand your question. Unfortunately, I can not find the answer myself. The question is how do you use keychains and NSUserDefaults at the same time. I would also like to use the NSUserDefaults interface. Hope we can figure it out ...

One option is to save only the username. Then, when the application starts, if there is no password in the key chain or if the password is incorrect in the key chain, ask for a new password.

+2
source

You can remove items from NSUserDefaults when your application starts after the user uses the settings to enter them in the Application Preferences application. Then put them in the keychain. But these items may be in plain text in an intermediate storage (depending on the iPhone model, some may encrypt flash memory and backups) before you can remove them from NSUserDefaults.

0
source

Apple owns the entire OS and, of course, Mail. They use functions outside the public SDK because they can. Do you think the Mail app can run in the background and keep checking your emails? A regular application cannot achieve this :(

Returning to the main question using a keychain is the right way. But you should probably prevent users from entering their username and password in Application Preferences. It is impossible to provide this.

0
source

Source: https://habr.com/ru/post/897750/

More articles:


All Articles