In my application, once the user is authenticated, he receives a sort of security key that needs to be stored for his session on the iPhone/iPad. This security key is used for all his future requests during the session. How safe is it if i were to store the key in some global variable once I get it? Can it be accessed if the iPhone is jailbroken? If so, what would be a safe place to keep the session key?
Thanks, Hetal
Who are you worried is going to steal the code? The user or another malicious program? If its the user, and the code is very valuable you have to assume that anyone with physical access to the device could, in theory, break it. But as a practical matter you are pretty safe. You could encrypt the code while it's in memory and only decrypt it as you use it.
Again, as a practical matter, web-apps do this all the time via cookies. If the code is only valid for a single session you are probably safe if it is compromised. You might want to consider the code 'safe' while it is in memory, but put in other protection to detect when and if it does get stolen. i.e. have the code only be valid for 10 minutes and then has to be refreshed, only valid from one IP or limits on the number of transactions etc. Depending on what your application needs are.