I have stored fabric_api key in Info.plist file.But I don't want to include my key and secret in the info.plist file when the the app is live.
what is the best way to keep fabric/crashlytics key secure?
I only know several ways:
Just put it in a constant variable, or if you want under your struct that handles all your keys. That's it.
UserDefaults.
Use libraries to obfuscate somehow your keys, such as https://github.com/orta/cocoapods-keys
Keychain.
The last one is discussed by Apple.
Keeping a private key in a keychain is a great way to secure it. The key data is encrypted on disk and accessible only to your app or the apps you authorize.
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
Also some interesting discussions:
In iOS, how can I store a secret "key" that will allow me to communicate with my server?
swift3 - How to protect secret key
I hope this helps.
Related
I have an iMessage application that send files. Data is saved in iCloud servers using CloudKit. Everything works well.
Now I want to add a new level of security. I want to encrypt the data before sending it to iCloud.
The problem is that using public/private key pairs is not possible:
In iMessage the extension can't identify users.
No real time session can be opened between conversation participants to exchange keys.
None of the options below are strong enough to make the data secure:
Use a key encryption hardcoded in the application.
Generate a random key, encrypt data with it and save it with the data in the iCloud servers, so it can be downloaded with the file to decrypt it.
iCloud may be secure but users' data could be personal/sensitive so I want to add a new security layer + it's a fun exercice for me.
Could anyone help to find the right encryption method?
You could send the key in the url of a custom MSMessage, along with the CloudKit address. The url key and address can be encoded, base-64 format as a data url so only your app knows how to decode.
That way at least someone needs to know how to decode your standard url's before getting the encryption key.
I want the user to use their RSA private key via file sharing to store in my App's document directory. It is ok if the user has access to the RSA private key, but I don't want anyone else to have access to it. Is this a good idea and if not how can I get the user's to store his/her RSA private key in my App securely.
You need to use the keychain to store sensitive information like private keys.
https://developer.apple.com/library/ios/documentation/Security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
Do not attempt to roll your own solution ... iOS has already done the hard work for you (~properly).
Using the keychain will protect your data from other apps.
If you want to do this for OS X rather that iOS, then take a look at
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/03tasks/tasks.html#//apple_ref/doc/uid/TP30000897-CH205-TP9
As Apple docs state, apps can share keychain data if they have the same App ID prefix and they've set the same keychain-access-groups in Entitlements.
However, I've been able to access shared keychain data from the app that has a different App ID prefix as long as I provide the proper keychain-access-groups as a hard-coded string. Like ABCDEFGHIJ.my.keychain.group.
It seems that keeping the keychain-access-groups value secret is the only thing that prevents someone from accessing the keychain data. Obviously, since it's just a plist value, this is not safe at all.
Is there any way to ensure that an app that is not included in my Apple Developer Program will not be able to access shared keychain, even if it knows my keychain-access-groups value?
I'm creating app for iOS in the Xcode. There will be the private key that will be the same for all users (clients). What is the best way to store it on the client side (in iOS)? in what form should I store it and where is the best place? In which form it is better to put it in the installation package? I will use this key to encrypt the data. Thanks in advance for your answers
Safest and recomended way would be receiving the encrypted private key from a server (via a https connection) and the storing it in the secure container (Keychain).
I am storing the key & secret required for API call in iOS keychain using Apple code
My key & secret keeps on changing after every call to API. So once they are changed I save them in Keychain again. So I am accessging the iOS keychain frequently.
My questions are
Is it ok to store key & secret in iOS keychain ?
Does Apple allow this as I am accessing the keychain everytime I need to call API ?
Sure. That's what it's there for.
You access your keychain every time you want to get in your car, right?