2

If I have a password variable that is used for remote SSL authentication, is it secure to store in the source code?

e.g.

NSString * password =  @"password";

Are there better way?

Update: Sorry for confusion, I am not storing the user password, instead, I am storing a password that is used to call our own backend, all the app will use the same password.

Improve this question
0

3 Answers 3

Reset to default
2

My new answer:

Try not to use static passwords to access the back-end, period. What happens if somebody you don't want determines what that password is. Why not use usernames & passwords?

You can also consider using a public key or embedded certificate to allow only your app access to the back end servers.

My original answer:

Sounds like you want to get to know the Keychain.

Here's a tutorial that talks about it:

http://maniacdev.com/2011/07/tutorial-how-to-use-the-ios-keychain-to-store-names-and-passwords/

And here is a related question that talks about the security of Keychain under iOS.

You shouldn't have programs a store static password for all users, but instead have each user set up his/her account & password for authentication and then store that stuff in the keychain.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I have updated my question, I am not storing user password, instead, I am storing a password to call our backend, user don't know it.
It would have been nice if your original question was a bit more clear to begin with. I've amended my answer.
Thanks! But even using a public key, is it easy to be detected by user, I am just thinking if there are better method to hide it some where in the code. I don't need to have a perfect way to do it, just better than storing as a string would be ok.
@Howard :I am also stuck up with the same issue .Did you find any way to hide the string inside your code?
1

Any text contained within your application is easily extractable. There's no real way around this - using the strings tool, anyone can see any and all text content statically embedded into your app. However, there are some ways around this - notably, if you split up your string into several static strings and concatenate in the right order, it will be much more difficult to reverse engineer the password contained in your app.

I recommend you take a look at a similar question (How Safe is Information Contained within iPhone App Compiled Code), and specifically, my answer to that question, for a more in-depth explanation of what I mean. (Nimrod's comment on that question is also interesting.)

Improve this answer

Comments

0

NO!

build your app. Go to the terminal and type strings and then drag your executable to terminal and press return... You'll see your secret password in plain text :)

You should store its hash.

Improve this answer

1 Comment

I have drag the executable into the strings terminal but it keep loading, nothing can be seen..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.