Safe to hard code a password in mobile app - iphone

I have a web server that creates a QR code which is [username] + a md5 hash of [username][password].
Where [username] is the user logged in at the time.
Where [password] is a system password set by me and common to web server and the apps.
My Android/iPhone/BlackBerry/Windows app will scan this QR code and use the [username] provided in the QR code to hash with [password] which will tell me that the QR code came from my server.
Obviously if someone were to get hold of [password] then they could create QR codes that did not come from my web server. So is there anyway to safely store [password] in my app or could someone decompile the .apk and find it in classes.dex?

You can obfuscate the password somehow, but ultimately this is only security through obscurity. Someone who wanted to could certainly reverse engineer it.
You probably want to look at public key cryptography to avoid this - even if someone gets access to the public key, they still won't be able to use it to impersonate your server.

No.
If someone is sufficiently motivated, they will be able to reverse engineer a hard-coded password.

Im not sure about the other platforms, but if you put your password hardcoded in plaintext on android they would get it really easily. Other platforms might require more advanced methods. You can hash the password with some more advanced hashing algorithm so that they don't get the original password, but from what you said you don't want them making "fake" QR codes.
The short answer is no, because everything can be cracked somehow if it is on client side.

Related

Rails 4: encrypt/decrypt email and store in DB

Passwords are hashed with a salt and are thus "secure" (relatively speaking) by default using has_secure_password in Rails 4. But what I want to do is encrypt the email at rest in the DB so if the database is compromised somehow the emails aren't just in plaintext.
I've looked at just writing my own encrypt/decrypt functions, but that's dangerous. I've looked at attr_encrypted (and have used it before) but it's not really compatible with the new Model.find_by(key: value) syntax that Rails 4+ pushes, and I don't want to create a hacked fix.
Is there anything out there already that will allow me to easily encrypt an attribute in the DB at rest and then decrypt it when I need to find it? I can't use hashes because I need the decrypted value to display and send emails to later.
I've googled for a while but can't seem to find anything like this. Surely encrypt/decrypt is something very basic that's been put into a convenient gem that's been reviewed by the community?
Have you considered the attr_encrypted gem?

Protecting sensitive information in Objective C source code

If I have a password variable that is used for remote SSL authentication, is it secure to store in the source code?
e.g.
NSString * password = #"password";
Are there better way?
Update: Sorry for confusion, I am not storing the user password, instead, I am storing a password that is used to call our own backend, all the app will use the same password.
My new answer:
Try not to use static passwords to access the back-end, period. What happens if somebody you don't want determines what that password is. Why not use usernames & passwords?
You can also consider using a public key or embedded certificate to allow only your app access to the back end servers.
My original answer:
Sounds like you want to get to know the Keychain.
Here's a tutorial that talks about it:
http://maniacdev.com/2011/07/tutorial-how-to-use-the-ios-keychain-to-store-names-and-passwords/
And here is a related question that talks about the security of Keychain under iOS.
You shouldn't have programs a store static password for all users, but instead have each user set up his/her account & password for authentication and then store that stuff in the keychain.
Any text contained within your application is easily extractable. There's no real way around this - using the strings tool, anyone can see any and all text content statically embedded into your app. However, there are some ways around this - notably, if you split up your string into several static strings and concatenate in the right order, it will be much more difficult to reverse engineer the password contained in your app.
I recommend you take a look at a similar question (How Safe is Information Contained within iPhone App Compiled Code), and specifically, my answer to that question, for a more in-depth explanation of what I mean. (Nimrod's comment on that question is also interesting.)
NO!
build your app. Go to the terminal and type strings and then drag your executable to terminal and press return... You'll see your secret password in plain text :)
You should store its hash.

Storing OAuth keys in code for iPhone apps

I'm writing an iPhone app that integrates with third party APIs. These APIs use OAuth (key/secret specific to my app not per user) in order to authenticate which app the request is being made in behalf of.
Is it secure (or how secure) is it to simply put the key/secret in code? Can this sort of data be reverse-engineered? Is there a better way to go about including this data in a project?
There is no place on the iPhone to hide data. A user with a jailbroken iPhone has more control over the device than any developer. If possible you should setup a web service such as a REST or SOAP service to take care of these OAuth transactions on behalf of the client.
As Rook said earlier, there is no way to hide your data in iPhone. But you can make hacker job so difficult. I just done a work around for the same issue.
Put oAuth key information in PLIST
Mannually I encrypt this PLIST by using AES key and I got encrypted "CIPHER TEXT"
Modify the AES key by appending characters in between with your own logic. Since it required at runtime to decrypt the plist
Add this modified key with plist "CIPHER TEXT" and store this value in New plist.
Remove old plist which has oAuth information
Now you have only one plist which has encrypted value with modified KEY
Advantage:
Hacking is so difficult since hacker don't have a proper cipher text in plist
To hack this code they should know to separate Modified AES key from Cipher text.
Thou they found Modified AES key, they don't have any clue about the appending algorithm, here i simple used EVEN position of the character, but you can't modify this and you can take 3rd or 4th position of the character. Which is actually will differ for each developer
for more information please visit below link;
https://sites.google.com/site/greateindiaclub/mobil-apps/ios/securelystoringoauthkeysiniosapplication
I'd suggest looking into the Keychain services provided by Apple
http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html

iPhone cookies to store username and password

I have no idea how to store username and password details so that the user does not have to login everytime for the iPhone app.
Can anyone lead me in the right direction? I can't seem to find what to do.
Thanks!
You should be using the Keychain API. It will encrypt the data (not hash, as if you have to send it a the server, then the hash wouldn't be any use).
It's a bit of a pain, so take a look at some of sample code and 3rd-party wrappers available on the internet.
You can use Core Data or SQLite or any other storage (XML, JSON), since there are no cookies in iPhone.
Core Data
http://developer.apple.com/iphone/library/documentation/DataManagement/Conceptual/iPhoneCoreData01/Introduction/Introduction.html
SQLite
http://dblog.com.au/iphone-development-tutorials/iphone-sdk-tutorial-reading-data-from-a-sqlite-database/
Also remember to hash the password you should use MD5 at least.

iPhone: How to encrypt a string

I would like to encrypt a string with AES 256 on the iPhone but have not found much via google. What I am trying to do is post some data to a web site as part of a game I am creating, but I do not want the user to be able to cheat by seeing how it is posted because it is plain text. So I want to post one encrypted string to my php page (ala www.test.com/test.php?encrypted= etc...) and then the php script will decrypt it and do what it needs to if it is valid.
You can just use the CryptoHelper which is adopted by CyrptoExercise Sample Project
A much easier approach here would be to use an HTTPS POST, which would give you similar protections with far less code, though there are still difficulties for solving the problem you're attacking. The kind of solution you're describing generally requires some kind of shared secret, and it's very hard to protect code using a shared secret for long. You may find these posts helpful:
Machine ID for Mac
Store an encryption key in Keychain while application installation process
Obfuscating Cocoa
Still, HTTPS is probably a much better solution than AES here.
Check out this site: http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html