tags:

views:

158

answers:

4
+2  Q: 

Get NSUSerDefaults Data from device

I have created an application in which I have used base64 encoding and save the user password into NSUSerDefaults, But somehow another iPhone developer breaks that password. I wonder how could he got NSUserDefaults Data? Does someone knows how to stop this critical thing and also how he had got the NSUserDefaults Data. Also what is the best encryption method to store user password in iphone ?

A: 

Someone who has jail broken iPhone has more control over the device than you do. There is no place to hide a secret, not on flash disk, not in memory. When you are building a server you should always assume that the attacker can connect a malicious client. Period end of story.

Rook  2010-08-19 05:22:09
@The RookIs it possible to get NSUserDefaults data without jailbroken device?
Rahul Vyas  2010-08-19 05:56:59
+2  A: 

I suggest you check out SFHFKeychainUtils. It wraps up the Keychain Services API and provides a very simple interface to store sensitive information like passwords.

Store you password:

NSError * error;
[SFHFKeychainUtils storeUsername:userName andPassword:password forServiceName:@"whatever_service" updateExisting:YES error:&error];

Get your password back:

NSError * error;
password= [[SFHFKeychainUtils getPasswordForUsername:userName andServiceName:@"whatever_service" error:&error] retain];

You can also clear the stored value using the deleteItemForUsername message if you need to log the user out.

Cannonade  2010-08-19 05:26:25
@CannonadeThanks for the reply.There is a simple login view and for the user's sake he will do not have to enter password again that's why i saved password into NSUserdefaults. Should i use Sqlite3 database?
Rahul Vyas  2010-08-19 05:55:56
Cannonade  2010-08-19 06:15:41
NSUserDefaults is not secure, and base64 encoding is not encryption. I would be surprised if your application was allowed in the store unless you use the keychain to store account credentials, as I believe is required by the development agreement.
Kendall Helmstetter Gelner  2010-08-19 06:45:03
+2  A: 

A keychain is an encrypted container that holds passwords for multiple applications and secure services. Keychains are secure storage containers, which means that when the keychain is locked, no one can access its protected contents. -- Keychain Services Programming Guide, Apple 2010.

I recommend that you read the Keychain Services Tasks for iOS.

johnnieb  2010-08-19 05:41:36
A: 

An attacker with physical access can just create an iPhone backup, which includes completely unencrypted copies of most data files.

tc.  2010-08-21 08:54:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security