So I developed an iOS app called Due it a while back, and I had no idea what I was doing at the time. Anyhow, I lost all of the files for it, so i decided to re-create the project, but I stored data in Keychain on the old version. Is there any way that I can get the Keychain data back? (im using the same Bundle Identifier)
I've tried using this: https://stackoverflow.com/a/44310869/4705065 but it doesnt find any data.
Not at this point.
You are able to add multiple applications to a Keychain Access Group within an app, but you would have had to do that within the original app you no longer have access to.
More information on Keychain Access Groups.
It would be a big security concern if anyone could access anything within keychain without explicit permission.
Related
I have a framework which stores data in Keychain.
Is there a way what can I do to prevent access to that data from other apps in a device which has more apps using the same framework? And can they access it?
I googled a lot but could not find a good answer to this question.
Thanks in advance!
That's the default situation. Each app has its own access group by default, and things put into Keychain are limited to that access group. The framework isn't relevant, only the app ID (and by extension the access group or groups).
For more on access groups, see Sharing Access to Keychain Items Among a Collection of Apps for how apps (from the same development team) can share Keychain items. But the default is that they don't.
My GoogleService-Info.plist file for iOS was stolen, is it possible to disable access to my Firebase Firestore to all current iOS devices, and reset this file ?
I tried to delete my iOS app in Firebase, but I can still make request from my iPhone...
And I need to disable access only for iOS devices not Android.
As Doug Stevenson pointed out the contents of the GoogleService-Info.plist are public and accessible to every iOS user of your application. Therefore it is inaccurate to say they could be stolen as they're already publicly available.
As explained in the Firebase documentation the file fields contain identifiers used by your application and Firebase servers to route the requests being made to Firestore, Real Time Database and the rest of products the app might be using. Reading the documentation or the post shared by Doug you would see the information exposed is not a security threat.
Moreover, I would like to point out that everybody could try to access your Firestore collections and try to add/drop data. This is indeed expected as Firestore is publicly accessible by mobile and web clients. However, this doesn't mean Firestore is exposed to users to do whatever they please, instead, the actual access is totally under your control by the means of security rules, which enforce what actions a given user could do. In that sense, the developers who left will only have the access level that your security rules grant them, which shouldn't be a threat when having good rules in place.
Lastly, you may revoke the credentials completely removing the application. I'd say it's not a great idea as you would cause a service disruption to app users. Also, this won't improve security or diminish risks.
You can remove the app directly from the Firebase console
Before proceeding make sure to check and understand the consequences.
Click on Settings > General;
Scroll down to Your Apps;
Identify the app and click on Remove this app.
I am saving an important key in the iOS keychain. Everything seems to be working okay right now. There has only been only one issue. The keychain data is still alive after you delete the App. Which I was able to resolve by checking if the App has just been installed and deleting the data in the keychain. However, I want to be sure if there isn't any more issues or pitfalls I should be looking for.
The Apple keychain uses 256 bit AES encryption to secure data. It is ostensibly the mechanism that Apple uses internally to store private data such as your passwords as well. Other than your comment about the data being persisted after you delete your app (which is a feature not a bug), there’s not going to a “gotcha” when using the keychain API. Just realize that the keychain is just a fancy encrypted database, and follow best practices for what you should store, and when you access / write to it, like any other DB.
As you know that when we share data between two apps in iOS, we can use keychain. And iOS8 later, we can also use app groups to implement the same function;
My question is what's the difference between keychain and app groups, which one will be better and why ?
Keychain
If we save the data in the keychain, it still remains there when you uninstall the app unless it is completely reset.
For example, you might implement some login functionality and save it in the keychain. If the user uninstalls the app later then re-installs the app, you can grab those values from the keychain.
App groups
App groups are mainly used when you want to share data (for example SQLite or Core Data) between your apps.
For example, if your app has a widget and it wants to get data from SQLite or Core Data, then you would create an app group and save the SQLite or Core Data file in that app group path instead of the app's document directory. Now both your widget and app can track the changes in your DB file.
These are some common examples of the things you asked.
I have an iOS app which loads certain features depending on the settings that the user sets. Currently I am using NSUseDefaults to save and retrieve these settings and it works fine. But from what I understand anyone can view and edit them with a simple XML editor. You don't even need to jailbreak an iOS device to gain access to them. So they arn't very secure.
I was wandering if anyone could give me some advice on how I can go about saving app settings (these are NONE secure settings, no passwords, just simple things like ints and strings).
Here are a few ideas I had:
IDEA 1 Add a JSON file to the app NSBundle and then edit/save that JSON file every time you want to load/change the app settings.
IDEA 2 Use Keychain - it can store strings right? And it can't be accessed or edited by anyone. (hopefully even the NSA... lol). I could just store an array of strings in keychain for my app settings.
IDEA 3 Store the settings on a server and get the app to pull them down for the user every time they use the app.
IDEA 4 If NSUserDefaults supports this, then maybe locking the NSUserDefaults so that the end user can only view them but not edit them. Only the app will be able to edit them.
The main point is that I am worried that if I use NSUSerDefaults, the user may see them and edit them and then the app will not function properly. While I am not storing any kind of secure data, it would be nice if I can prevent the user from editing the app settings.
Are any of these approaches any good?
Thanks for your time, Dan.
All of them are good ideas, but just one issue with the first one:
You can not write or change files in the main bundle.
As long a the sure did not jailbreak their device the NSUserDefault can not easily be changed.
The keychain should only be used for password, token, etc..
In you case the NSUserDefault will do just fine, or just save the some file the documents directory of your is also an option. You can even create you now settings class that conforms the to NSCoding protocol and you can save it.