I'm writing my first app for iOS. In it conceived some protection from repetitive actions of the same user device (few, if apple account. Login "login-password" at the application level as such does not exist, therefore it was necessary to implement a hidden identification.
Convenient would it be to generate a random number that would be stored somewhere in the user, and remained unchanged even when reinstalling the app.
Started to read it. Learned about SSKeyChain. But just do not have enough experience to understand your logic... Please explain in accessible language!
My assumptions:
(please correct if I'm wrong!)
1) each user single Apple account that is attached all apps to one of the device, and thus the storage on the device. Or is the cloud for one account and multiple devices for this account (which is called keychain)?
2) has a free Access to the library SSKeyChain (via the security framework), which I for your application can write any data with their keys (the password to the app, login, color scheme)... so if you reinstall the app, it could check "are there any settings in KeyChain for me?" and take data from there. Similar to NSUserDefaults/SharedPreferences (ios/android), not receding after reinstalling the app.
3) the Possibility of losing data from KeyChain the user device is only shift Apple account any action by Apple.
So? :)
If you reinstall app,information stored in keychain is still there.But your provisioning profile should not change
From document
On iPhone, Keychain rights depend on the provisioning profile used to sign your application. Be sure to consistently use the same provisioning profile across different versions of your application.
Keychain is encrypted container and in iOS an application can access only its own keychain items.
When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup.
It is just an iOS provide container to save sensitive data。I do not understand what you say about Apple account.
Related
I'm developing 2 apps, which are already have done for Android, and trying not to confused with Apple's security frameworks.
Here is the Android apps scheme:
App1 create and save locally(as SQLite database) User's account
at App1 user can save/resume backup to/from filesystem (using SQLite3 and SHA256)
at App2 user can check, if is there any saved account, then use this saved data (for ex., token) for some http requests
so user account is linked to device
I've found, that at iOS I should better save data linked to AppleID, to protect it when AppleID is switched to another, so for my case (saving token at App1, then have access to it from App2) CloudKit, or maybe KeyChain, is good choice, right? At least better, than store it locally on the device, even hashed before.
So I need to save cloudly:
some Bool/String property to show if App1 is installed;
another Bool/String to show if is there saved account data;
some data as [String: Any]
And saving should be depending on AppleID - by the way, is it possible to detect, if User is login at the iCloud at this time?
So my question is - what scheme should I use to keep my data secure and share it between apps? Is iCloud with CloudKit a good decision? Or Keychain will be better?
Use keychain with app groups, so all your apps can access the secured data which will stored in keychain.
We want to prevent user from creating multiple profiles on same device.
For this we first tried IDFA but IDFA can be reset anytime from Settings.
Then we found DeviceCheck that states:
identifying Access per-device, per-developer data that your associated
server can use in its business logic
According to this we get to set two bits per device and a token for server to server verification. Now the question is:
If user uninstalls the app and installs again. will the token remain same?
How would we detect user isn't creating multiple Profiles on same device?
Device Check is the best solution for what you are trying to achieve. The advertising ID can be turned off and reset, and the [[UIDevice currentDevice] uniqueIdentifier] will be reset once the user uninstalls all app from a given developer.
Device Check is the solution Apple has proposed to check whether a device has redeemed an offer, created a previous profile, or simply to check whether the device is an authentic Apple device.
It requires the use of a server to communicate with Apple servers to validate a client generated token. You get two bits you can set. Those two bits are connected to your developer profile, not two bits per app.
keychain is the place where you can store users data securely. Storing data in keychain has one more advantage — in a case when the user decides to remove the app from the device and then he decides to install it again, the data is still saved.
You can also do this by storing a value in the Keychain. It will persist even if the app is deleted and thus you can tell if the app is a new install or a reinstall. So if a value is there in your keychain it is a reinstall otherwise its a fresh install.
Does apple support syncing Keychain across multiple installs of the same app under the same Apple ID?
I can find documentation about keyChain but is iCloud keychain available to developers? I cannot find any documentation for that.
Yes - The keychain is user tied though. The iCloud syncing is something the user can choose but you can't be sure this is turned on. Because it's user tied the user have to use the same Apple ID on all the devices and iCloud sync has to be turned on.
As far as I remember you can choose to share the keys you save with other apps made by the same developer.
Update to answer comment: Yes - This is seen as a safe way to store information. If I remember correctly the keychain is encrypted while not in use and can only be unlocked (automatically) by the Apple account. Just note that users will be able to see what is stored in their keychain so this is not a place to hide information from the user.
The keychain should be used to store password and other information that should be stored safely but not hidden from the user.
To contextualize the question, our use case is an app through which users can get free promotional items on signup. We would like to prevent abuse of the system by limiting to one promotion per device. Since we can't access the UDID, we need some other (mostly) reliable way to check if the phone has already signed up an account. We don't need a solution that is impossible to circumvent, just one that is highly inconvenient to circumvent.
If we store a unique key in the user's keychain, then we'll be able to read it again even if they uninstall and reinstall the app. We're considering using this method to track devices that have already signed up accounts.
Questions:
Is there a relatively easy way that the user could delete or change our app's keychain data? You can assume that the user's device is not jailbroken, and that they will not go to the trouble of completely reinstalling the OS.
What are other options besides using the keychain we might consider? Keep in mind that the app communicates with our server during signup, so we can store previous signup information of any kind on the server.
Are there any gotchas or problems with the keychain method we should know about?
I am new to objective C, I have created one application in that I have used both NSUserDefault and Keychain to store my user name and password. But I cant differentiate both. Please help to differentiate the both.
Thank you.
A keychain is an encrypted container that holds passwords for multiple applications and secure services. Apple Inc. uses keychains as password management system in Mac OS and iOS.
NSUserDefaults Provides a way for application behavior customization based on user preferences. Belongs to the Foundation framework for Cocoa and Cocoa Touch.
I got this from Tag Information of NSUserdefaults and keychain
Addition:
When we saved userName and Password. and Remove app from device.
In Keychain: UserName and Password still is there.
In NSUserDefaults: UserName and Password also remove from device with your app.
Try to avoid saving data locally as much as possible.
Keychain-
Keychain is safe & encrypted way to save small storage data like username, password etc.
Beware keychain data can accessible from jailbroken devices .
You can get Apple sample code from here.
Keychain Sharing-
Enabling keychain sharing allows your app to share passwords in the keychain with other apps developed by your team.
Suppose we created two apps where users can log into the same account. It would be nice to have ability to share the login information between these apps. This way the user will only need to log in once in one of the apps.
UserDefaults
An interface to the user's defaults database, where you store key-value pairs persistently across invocations of your app on a given device.
UserDefaults are not secure way to save private data.
UserDefaults are stored as plist locally,
Anyone can track in ./Library/Preferences/com.mycompany.MyAppName.plist