views:

26

answers:

1

I am working on an application that uses a private web service. We currently use a bundled client certificate to enable 2-way SSL connectivity however the password for the certificate is in the code and it is a concern that this could be de-compiled and used with the (trivially)extracted certificate file for nefarious purposes.

Is there a method by which I can pre-load a password into the application keychain for distribution with the app so that the password is never left in the open?

A: 

No matter how you put your password into your binary, there will be someway to exploit this, be it with debugging tools, code analysis etc.

You better treat your web service as open... maybe unlikely to get not properly authorized requests in the very next future, but basically you give away access to the public.

Keychain should be encrypted with user specific key, and this you obviously cannot do - or you would be able to read everyones data anyway.

If you really need to protect it, you probably need user accounts on your server... if this is more secure than obscurity it up to you.

Eiko
This was the conclusion I was coming to. The trade off for the open v secure API is complex unfortunately.
Rick