tags:

views:

177

answers:

2
+1  Q: 

Storing secret keys on iPhone source and project resources

Is storing secret keys (internal use passwords and such) on iPhone source code and project resources (such as plist files) secure?

Obviously nothing is 100% secure, but can this information be extracted easily from an installed app?

How do you recommend storing these keys to use them in the source code?

Just in case, this question is not about storing user passwords.

+1  A: 

A lot depends on what you mean by secure. For normal device use it could be considered secure in that there is no way for a user to access it. However all bets are off for a jail-broken device which has complete access to the filesystem. So viewing a plist file in your application bundle is trivial on a jail-broken phone.

You might consider the use of the keychain which in theory would be safer and also has the advantage that the data will survive a reinstallation of your app. As before on a jail broken device nothing can be considered to be 100% secure but it depends how much trouble you want to go to.

kharrison  2010-04-04 22:09:46
Using the keychain would imply storing the secret keys in the source code first, wouldn't it? Or is there are another way to initialize the keychain?
hgpc  2010-04-04 22:42:46
Good point. The keychain makes most sense when the user is entering the secret key. If you want to ship the key with the application I am not sure you have any other choices. Keeping the keys in code is perhaps better than storing it in a plist file. Some simple obfuscation of the key will prevent trivial attacks but as I said before on a jail broken device if somebody wants to break your app they probably can.
kharrison  2010-04-05 11:12:09
A: 

Found basically the same question with a longer discussion:

http://stackoverflow.com/questions/544463/how-would-you-keep-secret-data-secret-in-an-iphone-application

To sump up: it seems there's no official way to securely store secret keys in the app binary.

Sorry for posting a duplicate question.

hgpc  2010-04-06 10:14:12

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security