I thought about storing important and sensitive information in iOS' keychain. But now I read that the keychain is only restored if the backup is encrypted in iTunes (don't know about iCloud backups). This is especially a problem when users buy a new iPhone/iPad and restore them from a backup. The information stored in the keychain by the old device will be lost.
Is there any (secure) possibility to transfer the data to new devices or on restores independently of the backup settings?
You can transfer data using the iCloud, but this is NOT really secure! Save this data ENCRYPTED on your server and let the app read this data would be a solution.
Btw. you shouldn't save sensible data unencrypted in the keychain. The keychain can be read really easy after jailbreak.
For more information about handling with sensible data you may read this book:
Hacking and securing iOS Applications
Related
I'm developing 2 apps, which are already have done for Android, and trying not to confused with Apple's security frameworks.
Here is the Android apps scheme:
App1 create and save locally(as SQLite database) User's account
at App1 user can save/resume backup to/from filesystem (using SQLite3 and SHA256)
at App2 user can check, if is there any saved account, then use this saved data (for ex., token) for some http requests
so user account is linked to device
I've found, that at iOS I should better save data linked to AppleID, to protect it when AppleID is switched to another, so for my case (saving token at App1, then have access to it from App2) CloudKit, or maybe KeyChain, is good choice, right? At least better, than store it locally on the device, even hashed before.
So I need to save cloudly:
some Bool/String property to show if App1 is installed;
another Bool/String to show if is there saved account data;
some data as [String: Any]
And saving should be depending on AppleID - by the way, is it possible to detect, if User is login at the iCloud at this time?
So my question is - what scheme should I use to keep my data secure and share it between apps? Is iCloud with CloudKit a good decision? Or Keychain will be better?
Use keychain with app groups, so all your apps can access the secured data which will stored in keychain.
I have implemented synchronised keychain storage in my App with the SecKeychain API using kSecAttrSynchronizable. Am I correct in thinking that iCloud keychain must be enabled (iOS settings > iCloud > iCloud keychain) for this to work?
If so, is there any way to tell if this is enabled?
The kSecAttrSynchronizable attribute is used by your app to tell keychain if it is desired behavior that this keychain entry is synced to other Apple devices of that user or not.
Why would you desire an item not to be synced? E.g. the user doesn't want it to be synced as he wants to use a different password on his iPhone and on his iPad; so you may like to offer a pref and let the user chose if he desires syncing this password. Or syncing this password is simply not meaningful, e.g. it is a password that is used to encrypt local data of your application, local data that will only be present on the current device and thus this password is of no use to other devices, they lack the data for decryption.
However, your app can only express the wish for your item to be synced, whether syncing takes place at all is up to the user. The user decides if he wants password syncing at all, after all password syncing requires the passwords to be stored on Apple's servers. They are stored encrypted and not even Apple themselves have access to the password data, yet some users still don't have a good feeling having when that kind of information lying around on public servers on the Internet. So unless a user enables syncing, no passwords are synced.
Why would you need to know if the user has enabled it? To tell the user that passwords are not synced unless he enables syncing of passwords? Sounds a bit like telling the user that the room is dark, unless he turns on the light. If it is not on, the user may have chosen so on purpose, you cannot know if he did, can you? If you offer an option for password synchronization in the app prefs and the user enables is, just show an info text below that this feature requires iCloud keychain syncing to be enabled or else will have no effect.
Other than that, if you don't offer such an option, it should still be pretty obvious to all users that when your app promises "Now supporting iCloud Keychain Synchronization" that this feature will only work if "iCloud Keychain Synchronization" is enabled, don't you think? So to my best knowledge, there is no API that will directly tell you. One may detect in indirectly through other means but I don't recommend such kind of hacks, they are very fragile and sooner or later break with an update.
I want to store a variable that tells me if a user has made an InApp Purchase on the mobile device. NSUserDefaults seems to be accessible from users. Is there a simple and efficient way to do this ?
There a couple of options.
Save the data in the Keychain.
Generate a random key, encrypt the data with CommonCrypto, save the encrypted file in Documents directory and the encryption key in the Keychain.
See WWDC13 2013 video "Protecting Secrets with the Keychain". You can access it either on you computer or on an iOS device with the Apple WWDC app.
My question is directly related to this one but is different: iOS: keychain on new devices or on restores.
The poster is curious if you store information in keychain storage, does it get backed up to iTunes and iCloud so that when you restore it to another device the data are persisted. A partial answer to the OP's own question was:
But now I read that the keychain is only restored if the backup is encrypted in iTunes (don't know about iCloud backups).
The accepted answer was:
You can transfer data using the iCloud, but this is NOT really secure! Save this data ENCRYPTED on your server and let the app read this data would be a solution. Btw. you shouldn't save sensible data unencrypted in the keychain. The keychain can be read really easy after jailbreak.
Is whether the backup is encrypted or not determined by the developer's access to encrypt the data in code or by how the iTunes or iCloud user handles their backups? The answer to this is very important to me because I am trying to set an initial launch date of an app that determines how long before they have to resubscribe with in-app subscriptions. This piece of information must be shared between old and new devices and also remain on a single device even if the app is removed for a time period.
The following text was from Apple's doc:
Keychain (this includes email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications. If you encrypt the backup with iOS 4 and later, you can transfer the keychain information to the new device. With an unencrypted backup, you can restore the keychain only to the same iOS device. If you are restoring to a new device with an unencrypted backup, you will need to enter these passwords again.)
I am new to objective C, I have created one application in that I have used both NSUserDefault and Keychain to store my user name and password. But I cant differentiate both. Please help to differentiate the both.
Thank you.
A keychain is an encrypted container that holds passwords for multiple applications and secure services. Apple Inc. uses keychains as password management system in Mac OS and iOS.
NSUserDefaults Provides a way for application behavior customization based on user preferences. Belongs to the Foundation framework for Cocoa and Cocoa Touch.
I got this from Tag Information of NSUserdefaults and keychain
Addition:
When we saved userName and Password. and Remove app from device.
In Keychain: UserName and Password still is there.
In NSUserDefaults: UserName and Password also remove from device with your app.
Try to avoid saving data locally as much as possible.
Keychain-
Keychain is safe & encrypted way to save small storage data like username, password etc.
Beware keychain data can accessible from jailbroken devices .
You can get Apple sample code from here.
Keychain Sharing-
Enabling keychain sharing allows your app to share passwords in the keychain with other apps developed by your team.
Suppose we created two apps where users can log into the same account. It would be nice to have ability to share the login information between these apps. This way the user will only need to log in once in one of the apps.
UserDefaults
An interface to the user's defaults database, where you store key-value pairs persistently across invocations of your app on a given device.
UserDefaults are not secure way to save private data.
UserDefaults are stored as plist locally,
Anyone can track in ./Library/Preferences/com.mycompany.MyAppName.plist