This question already has answers here:
In iOS, how can I store a secret "key" that will allow me to communicate with my server?
(5 answers)
Closed 4 years ago.
I have an app I am building and inside of it are some strings that are sensative and I would hope no one would ever be able to get to easily by looking for strings in the binary etc.
For example this
let password:String = "SuperSecret123"
What is the proper way to hide this string inside of the project?
In most big companies, the way they handle this is not to keep the secret inside the code. Instead, you'll typically see one of three routes:
Read the secret from an environment variable that must be set to run the software
Read the secret from a configuration file
Read the secret by talking to a local secret broker
All three of these can work pretty well.
Related
This question already has an answer here:
How do I setup firebase realtime DB triggers for multiple databases using cloud functions?
(1 answer)
Closed 1 year ago.
I've two apps, same logic, but differents database.
On app 1, I use database-1, for app 2, I use database-2.
On my first app, I've deployed a onWrite functions, that's works well. The function is trigged and everything works well.
Now I want to deploy the same function, on the same project but with different database, it's that possible?
functions.database.instance('database-2').ref('/foo/bar')
According to docs, you can specify a Realtime Database instance with instance('INSTANCE_NAME').
I am setting up an Azure Function for housekeeping my relational database.
I want to be able to control what table can be clear in which interval via Application Settings (i.e. env vaiable), so I am investigating the best way to insert multiple value in one application settings.
I currently have 2 ideas:
Idea 1:
Use JSON, so the application settings will be something like this:
HOUSEKEEPING_VALUE={"table_a":3,"table_b":6}
After decoding the JSON format, I will clear table_a in 3 months interval, table_b in 6 months interval.
Idea 2:
Use the same format as those used by Azure connection string x1=y1;x2=y2;x3=y3;:
HOUSEKEEPING_VALUE=table_a=3;table_b=6;
Would like to ask the community, any other ways to achieve my goal which is more elegant? Or perhaps using JSON for my case is the norm? Thanks!
There are no elegant ways for multiple values stored in app setting in azure portal.
You should use the 2 solutions as mentioned in your question, then parse them by yourself.
There other option (secured/centralized) is using Azure App Configuration Store to and bootsrap in your Azure Functions
quick start of Azure App Configuration
how to leverage json content type
This question already has answers here:
Secure keys in iOS App scenario, is it safe?
(3 answers)
Closed 3 years ago.
I am working on a simple iOS app in Swift that uses an API that I pay for. I do not have a ton of resources and have yet to find a simple/up to date solution to this issue. I want to protect my API key and not put the key directly in my code where I make requests (I have heard this is best practice).
What would be the simplest way to protect my API key from someone taking apart my code and using it.
I've heard something about using Keychain but I'm unsure if this is the best route.
class APIService {
static let shared = APIService()
private let token = "(my token goes here)"
//...various API request functions
}
There is no easy way, nor is there a way to completely protect them from attackers. You can always do some simple key obfuscation or store them in a server but if a hacker can reverse-engineer your code they can likely reverse-engineer your obfuscation.
It'd be good to develop safety measures to take if someone does get your keys (database backups, etc.. ).
This link helped me when I was originally looking into this topic for one of my apps.
NSUserDefaults:
NSUserDefaults is simple and effective for saving small datas like NSNumbers or NSStrings, or even saving remember me option for saving ur state of UserName. NSUserDefaults is no way stored securely as it's easily gets Hacked.
KeyChain:
Best place to save tokens, api keys. Find the below apple documentation which describes more,
**βAn encrypted container that securely stores small chunks of data on behalf of apps and secure services.β "Simply a database stored in the file system.β**
KeyChain Documentation
And here is the example of Swift Version with simple way to store and retrieve data using KeyChain
https://stackoverflow.com/a/37539998/1244403
This question already has an answer here:
How secure is NSUserDefaults on iOS 8,9?
(1 answer)
Closed 6 years ago.
I'm working with one of my first iPhone apps. I have made simple login for the users. I want to store variable in NSUserDefaults which will keep track of if user is logged in. If user is logged in than it will be 1, otherwise it will be 0. And of course in other variable user username.
My question is: Is NSUserDefaults secure for keeping information like that? Is there any way in which somebody or user could manipulate with this variables and login without knowing password?
If you need security you should use Key Chains. It encodes values and is best way to save some security information. One thing that you should know is that you should not store there a lot of data as this storage is related to whole device not just to your application, so if your application will be deleted, stored data still will be alive. For example using User Defaults stored data would immediately become deleted(same with using Core Data).
I am pretty much a newbie at cryptography but I am trying to encrypt some data and save it in a file in iOS 3 because I do not want the user to just go in and edit the file. What is the proper way to securely (relatively) encrypt the data in iOS 3? Most of the documentations I found online were for iOS 5.
Any help would be appreciated!
Thanks,
Alex
I do not know iOS3 well enough to suggest something that is already built-in. If you need to develop encryption from scratch, then RC4 is absurdly easy to program. It is obsolescent now, but still reasonably secure. Its major fault from your point of view is that you need to pick a secure key using a good KDF (Key Derivation Function), such as PBKDF2.
The "proper" way to do it is to use Apple's Key chain in IOS. Unfortunately, as this post says, this isn't really that secure for IOs3. For ios4 it works fine.
Someone probably has a paid solution out there , but you may well end up writing one yourself. You are going to want to
Derive your key from a user supplied password using a key derivation function such as PBKDF2. In fact your need to derive two keys, so you are gong to run it twice with two different RANDOM salts.
Use AES with a RANDOM IV and one of your derived keys (that parts important and all the example code I've seen didn't). prepend the salts and the IV to your cipher text
Use an hmac with the other derived key on all of the above data. Prepend that.
To decrypt, rederive the keys using the key derivation algorithm with the password and prepended salts, regenerate the hmac , take the sha1 hash of the generated one and separately the sha1 hash of the one in the message, and verify that they are the same ( don't directly compare the hmacs directly) and then decrypt the data using the other derived key and the prepended IV.
This is a pain to write and annoying to users since they need to put in a separate password, but there is no way to do it securely otherwise. If you store the key on the iphone, someone can read it and decrypt the data. Yeah you could encrypt the key, but then how do you store that key?
I don't believe apple has decent objective c bindings for any of this,so you need to use the common crypto c API. Its documented here. The objective-c APIs which appear to be useless, are documented here