tags:

views:

620

answers:

2
+2  Q: 

Security implications of storing a password in Settings.bundle and getting with CFPreferencesCopyAppValue

Hello,

Apologies for the seeming obviousness of this question, but for whatever reason I haven't been able to find a definitive answer in the Apple documentation about where and how Settings.bundle password info is stored. My question: if I need to store some credentials for an app, and I use a Settings.bundle so that the password is entered into a PSTextFieldSpecifier textfield in Apple's Settings area with IsSecure = YES, and then I access the value from my app using CFPreferencesCopyAppValue, never writing it out to NSUserDefaults and only sending it over the network securely, how secure is that storage and retrieval method when compared to storing and retrieving the password using the keychain in my own app settings? Thanks for your input.

+3  A: 

CFPreferencesCopyAppValue is just the Core Foundation way of accessing the same information you get when using NSUserDefaults. In terms of security, the features are exactly the same. That is, it's not encrypted. It's secure only in the sense that it's obscured. The "correct" answer is to use the keychain.

The counter to that is that many applications use NSUserDefaults to store passwords. You could argue that unless the password controls access to information of any value then it's not worth the effort in trying to use the keychain. Which brings me to the second argument in favour of using a secure field in the Settings application: the keychain API is hideous and, in my experience at least, writing error-free code is tricky.

Stephen Darlington  2009-08-08 11:42:59
Good to know, thanks. I'm going to stick with the Keychain -- it wasn't clear to me that the Settings info was ending up in the same place as NSUserDefaults.
Halle  2009-08-08 12:18:38
You might be interested in using SFHFKeychainUtils: http://github.com/ldandersen/scifihifi-iphone/tree/d4298f123a06a91acbe8422ddb6164be3dbcff9e/security. I'm using it for storing passwords and it really simplifies use of the keychain.
Chu Yeow  2009-08-14 05:31:20
I've found that the Apple sample code that has an implementation of a keychain wrapper for Keychain Services is pretty easy to follow (and then subsequently use the wrapper for your own app keychain management) if you strip out the presentation code from the view controller, which I think is where most of the confusion comes in with that example.
Halle  2010-02-20 20:24:21
+1  A: 

Keychain on the iPhone is going to be the most secure, unless you're using custom encryption, which is very difficult to do (and export). NSUserDefaults isn't considered secure.

Jordan  2009-08-08 12:17:33

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security