In my iOS4+ app i use AES encryption on several places and whole app has to be very secure. In order to do this I have to hard code several keys in this app which are then randomly picked when I need to encrypt something...
My question is how to store those private keys? Is it safe to hard-code them using NSString
? Or
#define SecretKeyString @"febd9a24d8b65c1c787d50a4ed3619a9"
If user jailbreaks iPhone with this app installed, couldn't he get those hard-coded keys? How can i hide them most effectively?
Thanks for any suggestion...
iOS Keychain is considered the best place to store your application's small secrets. The Keychain is encrypted using a combination of Device Key and user passcode (if set). Your application will talk to security in order to interact with the SQLite database containing the encrypted secrets.
You can simply use NSURLCredential , it will save both username and password in the keychain in just two lines of code.
Apple holds the (encryption) key This includes contacts, notes, unencrypted e-mails, application preferences, Safari bookmarks, calendars, and reminders.
If you're one of the world's 700 million iPhone users, it's very likely that encryption protects everything on your smartphone, as 95 percent of Apple's phones are encrypted when their screens are locked. That default protection ensures your phone keeps your data safe from intruders.
What others apps do is require the user to "log in" before they can use the app. Then you use their userid/password as a key to encrypt the keys or use a secured web service to get the keys for that user.
If you use a #define
or even an NSString, there are ways to guess the keys. Obviously, you have to truly be willing to spend a lot of time to find those keys in compiled code, but depending on the level of security you are looking for and the people you are guarding against, this might be a problem.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With