How to save confidential data on iOS? Keychain or Outh2? Thanks.

Question

As you know many apps use keychain to save user login name and password, but is it really safe? especially on device jail break mode. So another solution is to use Outh2 protocol to save those confidential infomation on server side which needs many changes on both client and server side (for my app).

How do you guys handle this tough issue? Anyone who knows please share and thanks in advance.

Answer 1

Keychain:

It has two level encryption options

• lock screen passcode as the encryption key

• key generated by and stored on the device)

But when the device is jailbroken its not safe too.

oAuth:

Eventhough you store credentials in server you'll have to save the OAuth TOKEN in client side there is no place better than keychain to store it in client side.So now comes possibility of extracting the TOKEN on jailbroken device.

As far as I know in most apps they use one of these approaches.

If you need those data to be very very secure.

Suggestions:

• Store OAuth token in server not in client

• Store the Encrypted Credentials in Keychain and store the encryption key in server.This approach would be easy for you since you said adopting OAuth is hard for you.

Note:

There are some open source libraries available which detects if the device you run or app is cracked if so you can take action like deactivating TOKEN,deleting critical resources,locking app etc.