A talk about my experience with storing secrets (such as tokens or user identities) on iOs, using the Tiqr (tiqr.org) project as an example of the technologies discussed. Delivered at iosdevuk 2012 in Aberystwyth.
by the time you are wondering if your current job is still right for you, remember that at Egeniq we do awesome things with mobile technology and we don’t really care where you live as long as you are very talented.) 3
Requires NSA approval, basically • Process is documented, but time consuming • Unless it’s only for “authentication purposes” ‣Two flavours of US gov approval: • Self classification (if you use standard stuff for standard things) • Agency classification (non standard stuff and/or non standard things) 22
too much code • No extra key/password required (device passcode) • Works well with (encrypted) iTunes Backup ‣Bad: • Not every user has a passcode set • Lower level functions, lots of C (complexity) • Doesn’t work across iCloud backup/restore 24
encrypted • The encryption key is a pincode • There’s no plain text to compare against, so breaking it is hard ‣ Encrypted identities are stored in keychain • So also protected by passcode lock, if present ‣ Secret is not communicated • Challenge/response for ‘proof of posession’ ‣ Requires server validation of decrypted secret • Server enforces temporary and permanent blocks to stop brute force 31