问题
After the recent attack on App Store I was thinking is the security meaures implemented in app for the user data security are enough? I know there is no guaranteed way to prevent attacks to your app’s data and logic but still we can frustrate attackers by implementing some kind of security .I am looking for the answers for the following questions.
- is NSUserDefault is secure?
- is Keychain Access is secure?
- Which is the better approach NSUserDefault or Keychain Access or any other recommended?
- After implementing is there any way I can test by attacking my app ?
回答1:
Store credentials for accessing remote services using
NSURLCredentialStorage
. This uses the keychain when the persistance type isNSURLCredentialPersistencePermanent
orNSURLCredentialPersistenceSynchronizable
.Use the keychain directly for storing types of credentials or personal information that does not fit the above or other frameworks (i.e. Accounts or HealthKit)
Do not store sensitive information in
NSUserDefaults
.Use the Data Protection APIs for all other local data. This can be done "app wide" using entitlements, or on individual files and directories (using
NSFileManager
,NSData
, etc.Be very wary of 3rd party frameworks and libraries. Many of these capture sensitive information like the user's location and send it insecurely.
You can certainly attempt to attack your application or hire a company to do so for you. There are many books and resources available for guidance on how to do so, one of the better ones is The Mobile Application Hacker's Handbook
回答2:
It depends on your data what type of data you want to store, like if you want to store password or token or other important user information you should Use KeyChain.
Keychain is more secure because :-
- Apple itself encrypts it.
- Keychain cannot be accessed by any other app as it signed by the certificate your app is using.
- One important feature is data persists after deleting the app, while this does not happen in NSUserDefault(all data gets deleted once app is deleted.)
来源:https://stackoverflow.com/questions/32730425/what-is-the-best-way-to-secure-users-data-saved-locally-in-app-and-how-to-test