I want to get information of all logged in accounts like Google, Outlook, iCloud, etc. saved in iPhone (iOS 12).
I found ACAccountStore in Swift to get this info but I can't use it.
Actually, you can't do this.
These Internet services have been built with the same security goals
that iOS promotes throughout the platform. These goals include secure
handling of data, whether at rest on the device or in transit over
wireless networks; protection of users’ personal information; and
threat protection against malicious or unauthorized access to
information and services. Each service uses its own powerful security
architecture without compromising the overall ease of use of iOS.
From iOS Security (PDF), page 58.
You can obtain data which is "binded" with your app only, and if user allowed access.
Related
I'm new to the OAuth Authentication process so be gentle:
Goal: To create an embedded application on a device that will integrate with Google Drive, Dropbox, One Drive, Box to retrieve & store documents. This can be easily accomplished with OAuth2 authenticaiton.
Problem: The devices have limited input capabilities (and no browser) that prohibit users from being directly redirected, for them to input username/pass on the device.
Research: I've noticed looking through the documentation for these APIs that Google provides something called OAuth2 For Devices which allows the device to request a "User Code" when they first attempt to use the application on the device. The user can then go to a computer, navigate to a specific URL, and input that code to authorize the device to access their account. This circumvents to need for user input, or a browser at all, on the physical device.
Question: Do Dropbox, Box, OneDrive, or any others allow for this type of functionality, or anything comparable? As far as I can tell Google is the only one supporting this type of workflow.
Recently i've researched the same question and i've found out that while Google Drive Api supports OAuth2 flow for limited devices, it supports a very limited set of scopes. It means that Drive api for limited devices can offer only application data synchronization (files uploaded by app), because it won't find any files created by the user (outside of application, i.e. from web) even in a dedicated application folder. (assuming that user understands that application owns that folder and everything placed there ideally should be accessible by that)
By 2022, i've found the most promising api is from Koofr which doesn't have such limitation for devices and bundles multiple cloud services into one package.
Their documentation doesn't mention support for limited devices, yet it's fully working and can be found in their online HTTP api test suite.
Currently in the middle of a rather long-winded process of deciding upon the use of TouchID within an application being developed due, to security concerns, and wondered if anyone had any advice?
The idea from a product point of view is that a user can register with the application with a username/password (bog-standard flow in case of fall back for devices with no touch id) and then at a later date, if turned on via in-app preferences, use the TouchID system to 'login' to the application instead of typing a username/password again.
My concern is that this somehow means we have to store something on the device (retrievable upon successful touch) which can then authenticate the user and allow them access to the API (via JWT token, but probably doesn't matter).
This goes against almost everything I have ever read and been involved in with regards to mobile application development, which is storing anything sensitive on the client device is opening yourself up to an attack vector.
Yet - many applications already do this, so I am wondering what a typical process for enabling such a feature would be?
The app is sensitive by nature, has some personal information management which would be bad if leaked, if this makes a difference to the approach!
Thank you in advance
In my IOS application i am using google analytics, is it necessary to tell the app users that we using google analytics.
Is it necessary to show the google analytics primary policy in App.
Please help me.
From the App Store Review Guidelines
3.12 Apps should have all included URLs fully functional when you submit it for review, such as support and privacy policy URLs
In section 3.12: It specify that when you submit your application than you must have to include privacy policy URL. That does not mean that you need to show a separate page in application to show privacy policies.
Personally as a mobile user I have never seen privacy policy page of any analytics in application so far.
Also from Google Analytics Protocol SDK Policy you have to take care of following points.
Measurement Protocol / SDK / User ID Policy
All applications using the Measurement Protocol / SDKs / User ID must adhere to the following policies:
You must make sure you have the full rights to use this service, to upload data, and to use it with your Google Analytics account.
You will give your end users proper notice about the implementations and features of Google Analytics you use (e.g. notice about what data you will collect via Google Analytics, and whether this data can be connected to other data you have about the end user). You will either get consent from your end users, or provide them with the opportunity to opt-out from the implementations and features you use.
If you use an SDK to implement any Google Analytics Advertising Features, such as Audience Reporting or Remarketing, you will abide by the Policy for Google Analytics Advertising Features, in addition to the Google Play Developer Program Policies, or any other applicable policy.
You will not upload any data that allows Google to personally identify an individual (such as certain names, Social Security Numbers, email addresses, or any similar data), or data that permanently identifies a particular device (such as a unique device identifier if such an identifier cannot be reset), even in hashed form.
If you upload any data that allows Google to personally identify an individual, your Google Analytics account can be terminated, and you may lose your Google Analytics data.
I'm working on an iPhone app that is logging into a webservice and it's been asked of me to get the account login management into the settings page (i.e. next to Twitter, Facebook and Vimeo). From what I've been reading about the accounts framework, it appears that only those few companies have that ability.
I currently have it set up and working asking for login info periodically and polling the webservice for validation, but we're trying to move toward supporting moderately offline use, which means we need to have some sort of account info managed on the phone itself.
Can I use the built-in account framework for our own login credentials or is that not something that's available to a regular dev and I'll have to look for another way to do it on my own? Is that something that the keychain would be better for?
Using the keychain to securely store the users credentials is a good idea to start.
If I am understanding your question about a "built-in account framework", I don't believe there is a local framework for account management on the device itself that I am aware of that would be useful in this circumstance.
I've had to build an app that needed to authenticate to a web service that also needed to have some offline access. I ended up recording the validated authentication date and time in the NSUserDefaults and would let the user use the app for a 48 hours period before they had to re-authenticate. Their data was queued locally and when they had online access again, I would re-authenticate and then sync the data. Not the most elegant solution but it fit the project.
I used AFNetworking (http://afnetworking.com) to track the changes in network access and used to blocks to respond to the changes.
I am building a backend for ios apps, that support login in different networks.
Once the user login in to the network the client tells the news to the backend, and this could offer a list of worlds that the user might play, or even delete old worlds.
One way to steal another person's world is by saying that you are his social network id.
To solve that with facebook, we force the client to send us the fb_token, a token provided from facebook to the client, that we use in the backend to ask facebook if that specific user is the one that he told us to be.
If apple doesn't provide a way to validate this I understand that if an iOS app wants to use game center, it is directly forcing the app developer to also use iCloud because apple can validate the user credentials.
Did apple provide any way to validate user credentials?
The client on iOS can retrieve info about the currently logged in player in GameCenter, which has nothing to do with iCloud.
If you want to use iCloud to authenticate, you might have a different player than the one you wanted.
I think the solution is for the client to retrieve the player info in GameCenter, and send it to your server in an encrypted fashion (say HTTPS), including a timestamp and possibly other dynamic information. This way you'll know that the user info is being sent from the client app itself and there is no man-in-the-middle. That's really the issue that you are struggling with: how to ensure that client-server communication is secure.