How to store credit card info on iphone?

Question

I have requirement to store credit card number in iPhone app. How to store the data secure manner. I have looked at keychain. Apart from it, is there anything i can use.

Answer 1

As mentioned above, you should first look into the legality of this, especially with Apple restrictions on what goes in the app store.

That said, I have had to encrypt sensitive information before, and decided to go overboard with AES-256 encryption. Since usernames, passwords and personal data were being sent over a network, it was necessary. I used FBEncrypt for this - it's a great wrapper around CCCrypt.

https://github.com/dev5tec/FBEncryptor

That will allow you to do base-64 encoding and AES-256 encoding, among other things, and it is really convenient. Check it out if you really need it!

Answer 2

You need to do very serious research into this and not necessarily accept what people on this site say without thorough research and confirmation on your part.

Storing information like credit card info is not something you should implement just based on responses on this site IMO.

If you are serious you need to read, understand and apply the material in the book "Hacking And Securing iOS Applications" to understand what the dangers are and how you can mitigate against them, and how techniques that people say are secure really aren't as secure as you think they might be.

Answer 3

Encryption and the use of SSL/HTTPS seems enough for this case. If you are new to the subj, good general guidelines here: Mobile App Development Tips: How to Ensure Data Security

There are many implementations, e.g. you can use AES256 algorithm mentioned above:

1. When an app saves a credit card number for the first time, a random masterKey and initialization vector (IV) are generated. Use them later for encryption.
2. A masterSalt is generated and saved locally.
3. Using plainPassword and masterSalt, a hash (PBKDF2) is calculated.
4. Using the AES256 algorithm, the calculated hash is used to encrypt both MasterKey and IV.
5. Encrypted MasterKey and IV are saved locally.
6. Decrypt the MasterKey and IV using plainPassword and masterSalt hash (PBKDF2).
7. Now, encrypt the data with MasterKey and IV using the AES256 algorithm.

Answer 4

This question as stated is difficult to answer. It is up to author(s) of the requirement to determine the level of security needed. They may wish to get some legal advice about what, if any, liability may be incurred for leaking the data.

Once you know the appropriate level of protection, then you can start evaluating solutions. Keychain is good, but there are quite a few encryption options available.

Questions you may want to get answers to besides how to store the number include:

• What authentication will be needed to expose the number?
• What is the expected lifecycle of the exposed number?
  • How long can the number stay exposed?
  • How will the number be purged from memory?
• How can the exposed number be used?
  • Can the number ever be displayed to the user?
  • Will you allow the number to be copied to the clipboard?

If you want to be serious about protecting information (any information), you need to do some serious design work.