Storing Login Info for Web 2.0 App

Discussion in 'iOS Programming' started by piazza31, Oct 28, 2008.

  1. piazza31 macrumors newbie

    Joined:
    Jan 8, 2008
    #1
    Hi,
    I need to store user login info for a Web 2.0 service in my iPhone app. I wonder what's the safe and secure way to do it. I send login info encoded as specified in the service api, but what about the strings stored on the device? Do I need to adhere to some standard, keychain or other type of encryption to safely store username and password of the user?
    Are there any rules to follow also for the distribution on the App Store? I read in another place that you should declare what type of encryption you use in the app for export purposes...
    Who could clarify this question please? Or point me in the right direction?

    Thanks a lot.
     
  2. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #2
    I would suggest you use the built-in keychain services as described in the documentation.
     
  3. piazza31 thread starter macrumors newbie

    Joined:
    Jan 8, 2008
    #3
    Ok. But how do I use the settings bundle to organize those keys? I'd like to have those information on the settings page of the iPhone, as in standard apps. But from what I know on the plist configuration I have access to nsuserdefaults only, how could I integrate the keychain services there without writing a non standard view directly in my app?
     
  4. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #4
    I don't really understand the question: the keychain is the model. It has nothing to do with what the view onto that data is. You need to write a the controller layer to link the two.

    I see no reason that a settings bundle cannot store data in the keychain: NetNewsWire for example uses a settings bundle and store usernames and passwords. I cannot imagine they are not using the keychain.
     
  5. piazza31 thread starter macrumors newbie

    Joined:
    Jan 8, 2008
    #5
    Sorry, I didn't formulate my question the right way. I don't know how to link the settings bundle with my view controller if I use the keychain to store the login information. In the documentation it explains only the possible types it accepts in the plist file, but that seems to be arrays, strings and dictionary with some special options. I see no mention about working with controllers from your application.
    Maybe I am missing something...
     
  6. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #6
    What view controller? One in the main app? You shouldn't even be trying to link them.

    The settings bundle views are linked to the controller layer in the settings bundle. This reads/writes the keychain.

    In the main app you read the values from the keychain when you need to make a connection.

    Edit to add: none of this has anything to do with NSUserDefaults, plists or the like: the keychain is the model, not NSUserDefaults or a plist.
     
  7. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #7
    My apologies to piazza31! I have read the documentation and from what I see you cannot include code in the settings bundle. My best suggestion is that the IsSecure key for text fields may actually cause the value to get stored in the keychain and retrieved from it transparently...
     
  8. piazza31 thread starter macrumors newbie

    Joined:
    Jan 8, 2008
    #8
    No problem! Thanks anyway!
     
  9. Nutter macrumors 6502

    Joined:
    Mar 31, 2005
    Location:
    London, England
    #9
    Unfortunately, it does not. All values from Settings.app are stored in user defaults, which to my mind makes the very existence of the isSecure property rather unwise.

    The solution is to prompt the user for secure information only from within the app. In my app (Byline) I allow the user to change the account username from Settings.app, and then ask for the account password when the app is launched.
     
  10. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #10
    So my password for my NetNewsWire account is stored in plain text? That's shocking.
     
  11. Nutter macrumors 6502

    Joined:
    Mar 31, 2005
    Location:
    London, England
    #11
    I'm pretty sure that is indeed the case.
     
  12. Brendan.Porter macrumors member

    Joined:
    May 19, 2007
    Location:
    Between tourists, corn, and windmills.
    #12
    I don't think it is that shocking that a password is stored in an unaccessible place. If you're smart you would encrypt the password before storing it, and decrypt it after retrieving it.

    If you don't put the password in a user-viewable setting (ie, don't put in a Type in the settings plist for the password Key) then the user can't even find the password, because Settings won't display it. The worst case scenario is that someone hacks into your device somehow and finds the plist, then either views or downloads it. If it is encrypted, its useless.
     

Share This Page