I'm building an iOS app version of a web app and I need to store the session ID that is returned after a user logs in. All other information that I need is not sensitive, so I'm going to store it in NSUserDefaults, but the session ID is the one sensitive piece of information I can't store in NSUserDefaults. What's the best way to store the session ID?
Why, in the iOS Keychain of course!
iOS Keychain Services
There are many libraries that help with this task, one of the most commonly used is SSKeychain. Although, you could also read the documentation and figure out how to do it yourself, or reference Apple's examples as a way of doing this.
links valid as of June 3rd, 2015
It is pretty secure to store session ID in NSUserDefaults. No other apps can access that.
Although this information can be obtained if you connect the device.
For a more secure way you can always use the built-in keychain access to store the sensitive data
You can store the session id in NSUserDefaults, it's OK because it is visible to the user as a cookie as well. You can also just store the session cookie as a cookie. If you really want to store it safely you can use the keychain.
Related
I have an application that is implementing storage using Key/Value pairs in iCloud. From what I read in the documentation this is almost identical to the way NSUserDefaults work.
However this potentially creates a problem because the user should not have the ability to tamper with the app data stored in there. Does this mean that the user can access this data and modify it? Or is it private to the application?
Okay reading deeply in the documentation it says
If your app needs to store passwords, do not use iCloud storage APIs
for that. The correct API for storing and managing passwords is
Keychain Services, as described in Keychain Services Reference.
I found this text here just one line before the last table :)
I also found somewhere that the user can delete his iCloud data manually which can be counted as a modification.
Also, read here, section fro "Start Fresh If Your iCloud Data Becomes Inconsistent During Development" where it says how you can clean the container. Maybe you can check what is visible inside.
It depends what type of data you are storing in the iCloud if it's sensitive then I would use keychain services approach and avoid storing sensitive information on the iCloud.
From the question it seems like you are storing the data in key-value pairs, usually, it's recommended to store preferences, settings, and simple app state and that should be ok because the user can change those, you should choose the right iCloud API for what you want to store
With iCloud the user can always delete the information it has stored as mentioned in the documentation
There may be times when a user wants to delete content from iCloud.
Provide UI to help your users understand that deleting a document from
iCloud removes it from the user’s iCloud account and from all of their
iCloud-enabled devices. Provide users with the opportunity to confirm
or cancel deletion
When you ask
Or is it private to the application?
There's an iCloud identifier in your entitlements file. If it's the same in both apps you'll be able to access the same data/documents across both the apps.
Hope that helps.
I need to store a persistent remember token (a string) between app launches and device restarts. The token will be provided by a server once my user logs into the app and its back end service (which is already built). Specifically, I need to set up a persistent data placeholder for the remember token but I don't ever want the code to actually set the value of that placeholder.
On the one hand, it seemed like NSUserDefaults (now called UserDefaults) was a simple way to do this, but after reading the documentation, it doesn't seem like that was the intention of the feature. All the documentation I've see shows setting it up by assigning a value to a key. I definitely don't want to ever have the app assign a value to that key.
What's the simplest way to do this?
The simplest way to achieve that while also taking security into consideration is to use the Keychain. Data stored in the Keychain is encrypted using the key one provides for example when setting the Touch ID support.
You should never, ever, ever, use UserDefaults for such a task. The reason is UserDefaults are backed by the simple, unencrypted .plist file that is a part of your bundle, and can be more or less easily viewed by anyone that can get access to your ipa (e.g. anyone with jailbroken device).
The KeychainAccess API is written in Objective-C, but there are numerous wrappers that encapsulate this using Swift. You can use this on https://github.com/kishikawakatsumi/KeychainAccess
I'd appreciate that someone could make it clear some questions I have regarding Data Protection feature:
Is needed/recommended to enable Data Protection to encrypt and protect the SQLite files managed by Core Data? If so, what should I do to encrypt and protect such files?
I followed a tutorial for using Keychain and it said that complete level of Data Protection had to be enabled for the App ID in the Apple Member Center, so that I did. However, it said nothing about also enabling Data Protection in the Xcode's project, so I didn't. It seems that I can access Keychain in my iOS app without problem, but this looks weird... should I also enable Data Protection in the target's settings?
Thanks so much
It depends what you're storing there and thus what is at risk if someone gains access to it. In most cases you don't need to encrypt the data in the DB specifically as someone will use a device lock to secure the device and any specific data that you want to make secure should be stored in the keychain. This is usually the user identifying data and account authentication tokens.
If someone gets access to a device that is unlocked (pin code / touch ID has been cleared or authenticated) then they can do pretty much whatever they want with the device (keychain and automatically encrypted data) and you can't stop them (at best you can slow them down).
Apple does mention you can limit access to Keychain data if someone tries to add their fingerprint after-the-fact. More info in the Keychain section of https://www.apple.com/business/docs/iOS_Security_Guide.pdf
The only thing you can do really is to explicitly encrypt the data which requires it using a key that is explicitly entered by the user each time you need to encrypt / decrypt. That key could be stored in memory temporarily, but you can never write it to disk. In this way the user has to enter the key to use the data and the key can only come from the user.
I an building my first iOS application and I need to store the user registration details of the user using the application. The details include his mobile number and a unique id( uuid ) which I use to contact with the backend. It would be great if I could get a suggestion on where to store this user details.
Should I be storing this in the NSUserDefaults or should I be using Keychains to store this data or even may be a using a user model in the database ( I would need a database in any case to store a few other details ). Just to add on, I also would like to perform a few validations like if the mobile number is of proper format and so on before I could actually save it. Also can any one please suggest on the security aspects of different storage mechanisms possible here?
Any help on this would be much appreciated.
The most secure way would be to use keychain services as the data is encrypted but in your scenario it seems a bit over kill. I would recommend either just using NSUserDefaults or an sqlite database I wouldn't really recommend storing in a plist as this can be accessed really easily.
But this all depends on the data you are getting, if it was just uuid and mobile number then NSUserDefaults would do probably, whereas if you were getting usernames and passwords and other personal data I would looking a mix of keychain and sqlite database.
Also you could use coredata file to store user data but seems a bit over kill as well for for such little data.
Just a little note you are actually not allowed to get the iPhones mobile phone number programmatically, getting this would use Private APIs that Apple would reject your app for using.
2.5 Apps that use non-public APIs will be rejected
So you would have to ask he user for this.
Database selection is totally depend on the architecture and security, if you just need to store the few information like login details and some field then Keychain for login details and plist for data is best option, but if your application also working with services and fetching and saving lots of data and continuously updating it then a serious database structure required. In that scenario core data and sqlite both are good option depends on your preference
Following ways you can save details.
In NSUserDefaults
In coredata file.
In sqlite database
Plist file.(Not recommended)
You can save data at server site using webservice.
Any one of these you can use according to your requirement and data.
Cheers :)
If you store information on the UserDefaults, a jailbroken device can see the information you have stored, it is a plist after all. If you are going to keep sensitive data on your device, user defaults itself is not a good option. Possible alternatives:
Use keychain: Keychain is a tool to keep usernames & passwords securely on a device; so you may need to find a way to convert all the info you have mentioned ( a dict, I presume? ) into NSData and put into/get from the keychain but it's been explained on other threads. Additionally, keep in mind that when the app is deleted, keychain data will persist on the device.
UserDefaults & encrpytion: If you can encrypt the data yourself, than using UserDefaults might be a better option. Its more straightforward than keychain and it will be deleted if you delete the app from the device (which may be the thing you want, or not. It depends)
I am making a app where I need to store some login details.
I searched over internet and found usage of NSUserDefaults has some security issue.
As for keychain, how much data can I store for a single app?
The other option using sqlite also has some security issue.
About application update, how can I preserve data in the next application update.
So which one should I go for?
NSUserDefaults is a big NO for storing any secure data.
If it is only pertaining to user's username & password,i.e sensitive information, then Keychain is the best thing to use.
For other kinds of data(not sensitive) you can use Core Data to store information.
When an update takes place, you can explicitly copy data that is present & import it to your update.
Keychain data as such remains available to the app, after an update.