Monday, March 28, 2011

Storing passwords in iPhone applications

I have a simple application, based of the "Utility Application" template. It retrieves a password-protected XML file (via NSXMLParser).

I want to allow the user to set a username and password in the "FlipsideView", how would I go about this?

I have the basics in place, the two UITextField boxes, the value of which gets set to a fixed value when the view loads (using the viewWillAppear method), and NSLog'd when the view is closed (the NSLog is just for testing, obviously, in the viewWillDisappear method)

How do I store the data? I've had a look at the Developer documentation, and it seems like I should be using NSUserDefaults..?

From stackoverflow
  • Aha, NSUserDefaults seems to work, and is simple to use, but isn't secure in the slightest:

    password is the IBOutlet for the UITextField.

    - (void)viewWillAppear:(BOOL)animated
    {
        NSUserDefaults *prefs = [NSUserDefaults standardUserDefaults];
        NSString *pword = [prefs objectForKey:@"password"];
        password.text = uname;
    }
    
    - (void)viewWillDisappear:(BOOL)animated{
        NSUserDefaults *prefs = [NSUserDefaults standardUserDefaults];
        [prefs setObject:password.text forKey:@"password"];
    }
    

    The password is stored in plain-text in a plist, so it would be quite easy for someone else to access.. but this is useful for storing non-sensitive settings.

    I ended up using this to store the username field, and stored the password using the SFHFKeychainUtils keychain code from August's answer.

    August : This is very insecure. You're essentially storing passwords in the open.
    dbr : Yeh, I completely forgot about the Keychain.. I've updated the answer to reiterate how insecure it is
  • This is exactly what Apple developed the Keychain for. Using Keychain, you can store your password in encrypted form. Take a look at Apple's GenericKeychain sample.

  • I agree with Ben. This is exactly what the Keychain is for.

    I would not, under any circumstances simply store passwords in the defaults as dbr suggests. This is highly insecure. You're essentially storing your passwords in the open.

    In addition to Apple's sample code, I also recommend Buzz Anderson's Keychain code: iPhone Keychain Code

    Ben Gottlieb : I was trying to remember that link, thanks!
    dbr : Perfect, thanks! One thing pointed out in the comments of that page (which caused the error when compiling), you have to include the iPhoneOS Security.framework for it to work.
    3n : This makes perfect sense for storing the password, but what about for storing the username (to retrieve the password)? Something that wont get overwritten on app updates etc. It seems kind of pointless to store in the userdefaults if it's the only thing there.

0 comments:

Post a Comment