I'm creating app for iOS in the Xcode. There will be the private key that will be the same for all users (clients). What is the best way to store it on the client side (in iOS)? in what form should I store it and where is the best place? In which form it is better to put it in the installation package? I will use this key to encrypt the data. Thanks in advance for your answers
Safest and recomended way would be receiving the encrypted private key from a server (via a https connection) and the storing it in the secure container (Keychain).
Related
I have stored fabric_api key in Info.plist file.But I don't want to include my key and secret in the info.plist file when the the app is live.
what is the best way to keep fabric/crashlytics key secure?
I only know several ways:
Just put it in a constant variable, or if you want under your struct that handles all your keys. That's it.
UserDefaults.
Use libraries to obfuscate somehow your keys, such as https://github.com/orta/cocoapods-keys
Keychain.
The last one is discussed by Apple.
Keeping a private key in a keychain is a great way to secure it. The key data is encrypted on disk and accessible only to your app or the apps you authorize.
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
Also some interesting discussions:
In iOS, how can I store a secret "key" that will allow me to communicate with my server?
swift3 - How to protect secret key
I hope this helps.
I have an iMessage application that send files. Data is saved in iCloud servers using CloudKit. Everything works well.
Now I want to add a new level of security. I want to encrypt the data before sending it to iCloud.
The problem is that using public/private key pairs is not possible:
In iMessage the extension can't identify users.
No real time session can be opened between conversation participants to exchange keys.
None of the options below are strong enough to make the data secure:
Use a key encryption hardcoded in the application.
Generate a random key, encrypt data with it and save it with the data in the iCloud servers, so it can be downloaded with the file to decrypt it.
iCloud may be secure but users' data could be personal/sensitive so I want to add a new security layer + it's a fun exercice for me.
Could anyone help to find the right encryption method?
You could send the key in the url of a custom MSMessage, along with the CloudKit address. The url key and address can be encoded, base-64 format as a data url so only your app knows how to decode.
That way at least someone needs to know how to decode your standard url's before getting the encryption key.
I want to create a new iOS app.
and for this app I have some security questions
Example
The first start the user log in with username and password. When the log in is correct The user receive a api code. Just This code Will be stored in the app
So every time they use a make a request to the side like calling for the use a list I don't send the username and password I will send the api code for authentication.
Like this
https://example.com/api/{APICODE}/getUserList
The answer will be json
So my Questions are
- how to securely store the api code in the app
- is there a better way to make the requests
- I will store the requested data in the app, what is the best way, SQLite or plain files with json
The reason is That the app works without Internet
Thanks for help
Save secured data in the Keychain. For other you may use UserDefaults, files, SQLite DBs, CoreData
I want the user to use their RSA private key via file sharing to store in my App's document directory. It is ok if the user has access to the RSA private key, but I don't want anyone else to have access to it. Is this a good idea and if not how can I get the user's to store his/her RSA private key in my App securely.
You need to use the keychain to store sensitive information like private keys.
https://developer.apple.com/library/ios/documentation/Security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
Do not attempt to roll your own solution ... iOS has already done the hard work for you (~properly).
Using the keychain will protect your data from other apps.
If you want to do this for OS X rather that iOS, then take a look at
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/03tasks/tasks.html#//apple_ref/doc/uid/TP30000897-CH205-TP9
I am creating a Twitter client for Mac OS X and I have a Consumer secret. It's to my understanding I should not share this secret key. The problem is that when I put it as a string literal into my application and use it, like this:
#define QQTwitterConsumerSecret #"MYSECRETYOUMAYNOTKNOW"
[[QQTwitterEngine alloc] initWithConsumerKey:QQTwitterConsumerKey consumerSecret:QQTwitterConsumerSecret];
It is in the data section of my application's binary. Hackers can read this, disassemble the application, etcetera.
Is there any safe way of storing the Consumer secret? Should I encrypt it?
There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it.
Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they've likely just obscured it somehow.
For example, you could break it up into different files or strings, etc.
Note: Using a hex editor you can read ascii strings in a binary, which is the easiest way. By breaking it up into different pieces or using function calls to create the secret key usually works to make that process more difficult.
You could just base64-encode it to obfuscate it. Or, better idea, generate the key instead of just storing it - write something like this:
char key[100];
++key[0]; ... ; ++key[0]; // increment as many times as necessary to get the ascii code of the first character
// ... and so on, you get the idea.
However, a really good hacker will find it no matter what; the only way to really protect it from others' eyes is using a secure hash function, but then you won't be able to retrieve it, too :)
You should not use a secret api key in an application that does not run solely on your server.
Even if it's perfectly hidden.. you can always snoop on the data going through the wire. And since it's your device you could even tamper with SSL (man in the middle with a certificate created by a custom CA which was added to the device's trusted CA list). Or you could hook into the SSL library to intercept the data before actually being encrypted.
A really late answer...
If you setup your own server, you can use it for helping you desktop app getting authorized by users on twitter without sharing (i.e.: embedding) your secret key.
You can use this approach:
When a user installs you desktop app she must register it with twitter and with your server
*)
*) The app asks the server to generate the token request URL
*) The server sends the generated URL to the app
*) The app directs the user to the authorize URL
*) The user authorizes your app on twitter and pastes the generated PIN into it
*) Using the PIN you app grabs the token
*) All further communication uses the token and does not involve your server
Note: the app logs to your server using the user credentials (e.g.: id and password) for your server.