19 Replies
      Latest reply on Sep 9, 2019 8:07 AM by Claude31
      iphonegamedeveloper Level 1 Level 1 (0 points)

        I want to store static NSString securely. I am storing in plist file but its not secure as it can retrieved if anyone gets IPA. Is there any way to store a string or token securely?

        • Re: Storing static string secure
          PBK Level 7 Level 7 (3,605 points)

          There is encryption and signing.  You encrypt to hide the string from others.  You sign so that others can't change the strings.  Which do you want?

           

          To sign, you add a "secret salt string" to your publicly visible objects and create an NSData object by:

              NSData *data =[NSPropertyListSerialization dataWithPropertyList:fullArray format:NSPropertyListXMLFormat_v1_0 options:0 error:&error ];

          then you determine the hash of that data using CC_SHA1 in <CommonCrypto/CommonDigest.h>.  Then you transmit the hash along with the publicly visible objects (but not the "secret salt string".  The recipient adds the "secret salt string" and checks the hash.

           

          To encrypt you can use a function  like AES256DecryptWithKey: I am not sure how to link to that function - search stack overflow for that.  If you do that you will have an issue with exportation.

          • Re: Storing static string secure
            KMT Level 9 Level 9 (15,495 points)

            Quoting the docs: "The keychain is the best place to store small secrets"

             

            See: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_keychain

            • Re: Storing static string secure
              PBK Level 7 Level 7 (3,605 points)

              You keep writing ‘Store securely’.  That is a good question and you received two answers 1) in the keychain and 2) by adding or changing certain characters so only your app’s hard code can decode it. But your real question is ‘how can I place a secret token in my app’ and for that question only #2 is applicable.

                • Re: Storing static string secure
                  iphonegamedeveloper Level 1 Level 1 (0 points)

                  Can't we place a secret key securely using keychain?

                    • Re: Storing static string secure
                      PBK Level 7 Level 7 (3,605 points)

                      >Can't we place a secret key securely using keychain?

                       

                      Yes you can.  But you need to obtain the key and place it in the keychain.  How will you obtain the key?

                      If you include it in an unhidden form in your app's code then you have to be concerned that someone can inspect your app and extract the code.  A simple way to avoid this is stated above; add false information to the key and have the apps code remove that false information before storing it in the keychain.  Here are 2 examples of encoding the secret word "IBM":

                       

                      1) "HAL" - your app adds one to each letter

                      2) "everyIfifthBleterMsic"  - your app extracts every fifth letter

                        • Re: Storing static string secure
                          iphonegamedeveloper Level 1 Level 1 (0 points)

                          Key/token will not come from sever. It will be hardcoded in the source code, thats why I raised this question. Is it worth to encrypyt the harcoded key/token by saving in keychain?

                           

                          Can you eloborate more about the following two approach or any link which explains this would be better.

                           

                          1) "HAL" - your app adds one to each letter

                          2) "everyIfifthBleterMsic"  - your app extracts every fifth letter

                            • Re: Storing static string secure
                              PBK Level 7 Level 7 (3,605 points)

                              If you are worried about someone extracting the token from your ipa file then simply hide it as described in #1 or #2 or use "pig latin".  It's not that complicated.  If you are going to store the unmodified token anywhere then only store it in the keychain.

                               

                              >Can you eloborate more about the following two approach or any link:

                               

                              1) "HAL" - take "H" and look it up in the alphabet.  The next letter is "I". Replace the H with I.  Then do the same on the A and replace it with a B.  Then do the same thing on the L and replace it with M - IBM.  If you wanted to hide "123" it would be "012"

                               

                              2) take "everyIfifthBleterMsic" and delete the first 5 characters (every) and keep the next character (I) then do that again deleting (fifth) and keeping B then again deleting (leter) and keeping M then do it again deleting (sic) and you are left with IBM.  If you wanted to hide 123 it would be 562971234592716543

                               

                              aaaaaNbbbbbOccccc dddddLeeeeeIfffffNgggggK

                              NJ?

                                • Re: Storing static string secure
                                  iphonegamedeveloper Level 1 Level 1 (0 points)

                                  Thanks for explaining the two approaches "HAL" and "everyIfifthBleterMsic.

                                   

                                  >If you are going to store the unmodified token anywhere then only store it in the keychain.

                                   

                                  I believe keychains are useful to store the data if it comes from server. I wanted to know whether storing the hardcoded string in keychain is really useful.

                                    • Re: Storing static string secure
                                      Claude31 Level 8 Level 8 (8,505 points)

                                      You never told the level of security you are looking for.

                                       

                                      Is it to protect a bank account access ?

                                           If so, probably need some strong crypto, but also export authorizations

                                      Or just protect some private information so that they are not visible to anyone ?

                                           If so, you could design your own encryption.

                                           I suggest to make it specific to each device

                                       

                                      For instance (to be adapted if String contains non ASCII), to encode a String s:

                                      - select a codeS string which is device specific (e.g, MAC address)

                                      - append codeS to s

                                      - select a number N between 3 and 6 (may be also device dependant)

                                      - pad the resulting s to have a length multiple of N

                                      - convert each char of String to another char with a f func (you could use a parameter to make it depend on device) - give a name that does not show it is part of encryption ; build g, the reverse func

                                      - mangle the resulting String with a reversible algo (for instance by moving packets of N char)

                                       

                                      Decoding is just the reverse order.