How this app Keychain2Go get all the keychain on iPhone and delete them?
As what is said in Apple's document:
In iOS, an application always has access to its own keychain items and
does not have access to any other application’s items. The system
generates its own password for the keychain, and stores the key on the
device in such a way that it is not accessible to any application.
When a user backs up iPhone data, the keychain data is backed up but
the secrets in the keychain remain encrypted in the backup. The
keychain password is not included in the backup. Therefore, passwords
and other secrets stored in the keychain on the iPhone cannot be used
by someone who gains access to an iPhone backup. For this reason, it
is important to use the keychain on iPhone to store passwords and
other data (such as cookies) that can be used to log into secure web
sites.
But Keychain2Go really can. How?
As far as I understand from the documentation of Keychain2Go it provides all the secure information of your Mac in iOS device. So it does not have any ability to change the iOS keychain items.
On iOS
For the first time ever, you can now access your Macs keychain on your iOS Device. You get full access to your keys stored in Keychain2Go. Never again you fail to login to your web mail account when abroad and you forgot your password on the Mac at home.
Related
We have an enterprise iOS SDK that uses Keychain to store highly sensitive information. These information are not available to the client's app.
I've always thought that you need a key to fetch the associated value from the Keychain. But recently, I found out you can ask Keychain to return all the stored keys in Keychain (IMHO, this is a bad design).
Since the client's app can easily fetch all the Keychain elements, I'd really like to create a separate Keychain store for the SDK only. I've looked over SO questions but never found an answer.
TL;DR:
How to create a separate Keychain store in iOS?
You can't.
The security boundary for the KeyChain is the app (Or the KeyChain identifier across multiple apps from the same developer if you enable KeyChain sharing).
Once your framework is embedded in the client app, it is part of the client app. It doesn't have its own context or process space or anything to distinguish its code from the client code.
If code in your framework puts something in the KeyChain then, to iOS, it is the client app that has put something in the KeyChain, and there is no reason to keep a secret from itself.
Even if you could create a KeyChain just for your framework, presumably the code that puts the information in the KeyChain is in your framework, so an attacker could just decompile your framework to obtain the information.
I know how to save login info in the default user preference. But how to save the log in info for several days until the app ask the user to login again?
You SHOULD NOT confidential data in user preferences, NEVER EVER EVER do this please. Apple can reject your app if this security issue is detected in app review.
Ok the better choice you have is to save those info in Keychain, the Keychain is a system secured database for this kind of usage (store confidential information).
There is some info about KeyChain
Also you can easy find some libs like SSKeychain or play with Generic Keychain example by Apple to make things more easier, because KeyChain requires low level api to access and store data.
The interesting here is, if you use Keychain to store username and password for example, the app is able to "remember" even uninstalled and installed back by user. So you better is don't worry about the time, just try to log in with these credentials when needed.
Have a good lucky!
What is the best way to store confidential data like usernames, passwords, etc in an iOS application?
Apple provides the keychain for storing sensitive information.
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html#//apple_ref/doc/uid/TP30000897
You should not use NSUserDefaults or CoreData unless you have provided some means of encrypting the content, and even so, you'll still need to manage and store encryption keys securely. The keychain provides all of this for you, and with iOS 8 you can now flag keychain items to require presence of a device passcode if desired.
Use Encryption for username and password and save in defaults.
The proper way: Don't.
The mobile phone is a very unsecure place to store information. If the security is #1 for you, you should not store sensitive information on the device.
You can use the default iOS security options, for example Keychain with CommonCrypto, or openssl, but your data never will be completely safe without a secure server component.
Keychain has it's very bad quality: It is as secure as the device's passcode.
As you know many apps use keychain to save user login name and password, but is it really safe? especially on device jail break mode. So another solution is to use Outh2 protocol to save those confidential infomation on server side which needs many changes on both client and server side (for my app).
How do you guys handle this tough issue? Anyone who knows please share and thanks in advance.
Keychain:
It has two level encryption options
lock screen passcode as the encryption key
key generated by and stored on the device)
But when the device is jailbroken its not safe too.
oAuth:
Eventhough you store credentials in server you'll have to save the OAuth TOKEN in client side there is no place better than keychain to store it in client side.So now comes possibility of extracting the TOKEN on jailbroken device.
As far as I know in most apps they use one of these approaches.
If you need those data to be very very secure.
Suggestions:
Store OAuth token in server not in client
Store the Encrypted Credentials in Keychain and store the encryption key in server.This approach would be easy for you since you said adopting OAuth is hard for you.
Note:
There are some open source libraries available which detects if the device you run or app is cracked if so you can take action like deactivating TOKEN,deleting critical resources,locking app etc.
Rather confused about this.
I'm storing the user's username and password inside Keychain in my app, does this constitute an encryption feature in accordance to the App Store Export Compliance? Or does this concern things like SSL?
Thanks
I submitted the app without ticking the box for encryption data and it was accepted. It seems that keychain does not effect this.