How to store non-standard web authentication?

Question

In the web API my app communicates with, the authentication process is designed in the following way:

1. The user enters the name of the group that he/she belongs to.
2. The server sends the list of group members.
3. The user chooses a user name and types a password.
4. My app sends a hash constructed of the group id, user id and password to the server to validate the credentials and in case of successful validation uses this hash in further transactions.

Having this process, I do not get standard NSURLConnection messages like connection:canAuthenticateAgainstProtectionSpace: or connection:didReceiveAuthenticationChallenge:.
I can deal with it per se, but when it comes to securely storing the credentials, I get confused. Is there a way to do this via some built-in iOS SDK methods or I have to write the hash in a file manually, for example? What's the proper way?

Answer 1

The keychain seems the best option to store the user's credentials/hash. Check out http://developer.apple.com/library/mac/#documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html

And https://github.com/ldandersen/scifihifi-iphone/tree/05e64ff2814a8192c43f1f81eb8e09dc3764fa18/security

• Be aware that while the keychain is probably the safest place in iOS to store this kind of data, it isn't entirely secure. But considering the data you want to store, it's probably well enough.

Edit: Look at http://overhrd.com/?p=208 You'd be able to access the data on your keychain with simple calls of this nature:

[Keychain setString:@"hashhashhash" forKey:@"userHash"];

// later on…
[Keychain getStringForKey:@"userHash"];