How to store sensitive data (e.g. passwords, API keys) in a Cocoa application?

Question

How to store sensitive data (e.g. passwords, API keys) in a Cocoa application?

I need to provide some passwords, API keys and similar sensitive data in my code. What are the best practices in this regard? Hard code? SQlite? Some cryptographic framework?

+4

objective-c cryptography cocoa

Piotr byzia Oct 27 '09 at 20:46

source share

5 answers

You can use any of the posix compatible Cypographic libraries, but as mentioned above, anyone with code cracking skills can defeat encryption by finding the key.

There are several tricks you can use to slow down the cracker: (1) Use tablet names for classes, methods, and variables to mask encryption of code processing, for example. - (void) qwert asdf: (NSString *) lkj; (2) Put double routines and branches that don't really do anything. (3) Hide data in an unexpected place, for example, within images.

+3

Techzen Oct 27 '09 at 23:06

source share

Use the Mac OS X Keychain:

Update:

If your goal is to hide information from your end users, then I don’t know how to do it.

Hard coding is the beginning, but a user with a debugger can read a line from your binary. To combat this, I heard of developers who store data as many separate rows and then merge them at the last minute. Ymmv

+2

Justin voss Oct 27 '09 at 21:13

source share

To add to the direct answers: all this is in vain if you are not using a secure mode of transport such as TLS or SSH. If you send the recovered API key in clear text, it's not difficult for him to use something like Wireshark or tcpdump (or, a little more complicated, a custom router) to capture it after it exits.

If any API that you use does not offer an encrypted access method, then you can do nothing about it (besides asking for it), but if so, then you should use it.

+2

Peter Hosey Oct 29 '09 at 8:13

source share

You cannot protect them. You can only try to hide them so that it is not too obvious. Safety from obscurity. But I do not think that there is a way to keep someone who wants to wrest their hands because of their presence.

+1

nschmidt Oct 27 '09 at 10:48

source share

Doug richardson · Accepted Answer · 2009-10-28T05:03:04+0000

Like everyone else, you cannot measure the API key and use it in your application. However, you can make simple obfuscation relatively easy, and if the cracker’s winnings are low, you may not burn out.

One easy way is to split your API key into multiple substrings. Make sure you put them in your code in some random order. For example, if your API key is 12345678901234567890, you can break it into 5 substrings, for example:

static char *part1 = "12345"; static char *part5 = "7890"; static char *part3 = "890123"; static char *part2 = "67"; static char *part4 = "456";

If you run /usr/bin/strings in the resulting binary, you should not see the API key in order. Instead, you will see API substrings in the order specified in your C file. With 5 substrings like this, this is 5 * 4 * 3 * 2 * 1 = 120 permutations. If you divide it into 13 substrings, you will see more than 6 billion permutations.

However, this does not stop anyone who knows what they are doing from getting your API key if he wants to. In the end, you will have to combine the lines together and pass them to one of your methods, after which the cracker can use the debugger to set a breakpoint and check the memory.

How to store sensitive data (e.g. passwords, API keys) in a Cocoa application?

More articles: