tags:

views:

694

answers:

4
+5  Q: 

What is the best practice to store username and password on the iPhone?

Is there a best practice way to store username and password on the iPhone? I am looking for something that is obviously secure but will also keep the info between app updates.

+10  A: 

Use the Apple Keychain.

+ (NSString *) getPasswordForUsername: (NSString *) username andServiceName: (NSString *) serviceName error: (NSError **) error;

+ (void) storeUsername: (NSString *) username andPassword: (NSString *) password forServiceName: (NSString *) serviceName updateExisting: (BOOL) updateExisting error: (NSError **) error;

The first method allows you to request the password associated with an existing username for a particular service name (I’ve just been using the name of my app as a service name). The second allows you to store a username/password/service name combo, and allows you to specify whether or not the appropriate keychain item should be updated with the provided password if an existing one is found that matches the username and service name pair. The last parameter of each is a reference to an NSError object which will contain lower level error information if something goes wrong (and be nil if it does not).

For more information see his blog

Ghommey  2009-10-08 14:11:37
is the password returned in plaintext?
pxl  2009-10-08 18:25:31
when I add that class to my project I get a bunch of weird errors such as "_kSecAttrAccount", referenced from: _kSecAttrAccount$non_lazy_ptr in SFHFKeychainUtils.o"_SecItemDelete", referenced from: +[SFHFKeychainUtils deleteItemForUsername:andServiceName:error:] in SFHFKeychainUtils.o"_kSecReturnAttributes", referenced from: _kSecReturnAttributes$non_lazy_ptr in SFHFKeychainUtils.o"_kSecClass", referenced from: _kSecClass$non_lazy_ptr in SFHFKeychainUtils.o"_kSecClassGenericPassword", referenced from: _kSecClassGenericPassword$non_lazy_ptr in SFHFKeychainUtils.o
Jason  2009-10-12 14:31:31
+4  A: 

The keychain is what you are looking for.

Nikolai Ruhe  2009-10-08 14:11:59
That link is for the Mac OS X keychain. Here's the link for the iPhone version (they're slightly different): http://developer.apple.com/IPhone/library/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html
Dave DeLong  2009-10-08 14:21:27
Oh, thanks. Fixed that.
Nikolai Ruhe  2009-10-08 15:03:38
+2  A: 

Use the Keychain, here is some code to make it very easy. Works on the device and simulator.

FigBug  2009-10-08 14:13:29
+1  A: 

See the Generic Keychain example source. That's the way to go IMHO

slf  2009-10-08 14:17:11

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security