From 098aaa01e307d03798aeee00d756da99683c5d11 Mon Sep 17 00:00:00 2001 From: Chandler De Angelis Date: Fri, 15 Dec 2017 10:14:03 -0800 Subject: [PATCH 1/4] Added URLCredential documentation --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 08d5a4d..1890ca9 100644 --- a/README.md +++ b/README.md @@ -454,6 +454,8 @@ Even in an age where we trust our portable devices with the most private data, a If your app needs to store sensitive data, such as a username and password, an authentication token or some personal user details, you need to keep these in a location where they cannot be accessed from outside the app. Never use `NSUserDefaults`, other plist files on disk or Core Data for this, as they are not encrypted! In most such cases, the iOS Keychain is your friend. If you're uncomfortable working with the C APIs directly, you can use a wrapper library such as [SSKeychain][sskeychain] or [UICKeyChainStore][uickeychainstore]. +There is also a way to store your credentials with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create a store your access token in a `NSURLCredential`, and store that credential in `NSURLCredentialStorage.shared` singleton. You will also need to specify a [NSURLProtectionSpece](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. + When storing files and passwords, be sure to set the correct protection level, and choose it conservatively. If you need access while the device is locked (e.g. for background tasks), use the "accessible after first unlock" variety. In other cases, you should probably require that the device is unlocked to access the data. Only keep sensitive data around while you need it. ### Networking From 06d38c8acbcee7d9cf18d5bff60ea5ca73343464 Mon Sep 17 00:00:00 2001 From: Chandler De Angelis Date: Fri, 15 Dec 2017 10:44:41 -0800 Subject: [PATCH 2/4] Fixing typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1890ca9..72fabed 100644 --- a/README.md +++ b/README.md @@ -454,7 +454,7 @@ Even in an age where we trust our portable devices with the most private data, a If your app needs to store sensitive data, such as a username and password, an authentication token or some personal user details, you need to keep these in a location where they cannot be accessed from outside the app. Never use `NSUserDefaults`, other plist files on disk or Core Data for this, as they are not encrypted! In most such cases, the iOS Keychain is your friend. If you're uncomfortable working with the C APIs directly, you can use a wrapper library such as [SSKeychain][sskeychain] or [UICKeyChainStore][uickeychainstore]. -There is also a way to store your credentials with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create a store your access token in a `NSURLCredential`, and store that credential in `NSURLCredentialStorage.shared` singleton. You will also need to specify a [NSURLProtectionSpece](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. +There is also a way to store your credentials with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create and store your access token in a `NSURLCredential`, and store that credential in a `NSURLCredentialStorage` instance. You will also need to specify a [NSURLProtectionSpece](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. When storing files and passwords, be sure to set the correct protection level, and choose it conservatively. If you need access while the device is locked (e.g. for background tasks), use the "accessible after first unlock" variety. In other cases, you should probably require that the device is unlocked to access the data. Only keep sensitive data around while you need it. From ceb58fa3366bbb9d8bb373419a0169de3edbf573 Mon Sep 17 00:00:00 2001 From: Chandler De Angelis Date: Mon, 22 Jan 2018 11:27:25 -0800 Subject: [PATCH 3/4] Fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 72fabed..da65668 100644 --- a/README.md +++ b/README.md @@ -454,7 +454,7 @@ Even in an age where we trust our portable devices with the most private data, a If your app needs to store sensitive data, such as a username and password, an authentication token or some personal user details, you need to keep these in a location where they cannot be accessed from outside the app. Never use `NSUserDefaults`, other plist files on disk or Core Data for this, as they are not encrypted! In most such cases, the iOS Keychain is your friend. If you're uncomfortable working with the C APIs directly, you can use a wrapper library such as [SSKeychain][sskeychain] or [UICKeyChainStore][uickeychainstore]. -There is also a way to store your credentials with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create and store your access token in a `NSURLCredential`, and store that credential in a `NSURLCredentialStorage` instance. You will also need to specify a [NSURLProtectionSpece](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. +There is also a way to store your credentials with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create and store your access token in a `NSURLCredential`, and store that credential in a `NSURLCredentialStorage` instance. You will also need to specify a [NSURLProtectionSpace](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. When storing files and passwords, be sure to set the correct protection level, and choose it conservatively. If you need access while the device is locked (e.g. for background tasks), use the "accessible after first unlock" variety. In other cases, you should probably require that the device is unlocked to access the data. Only keep sensitive data around while you need it. From de7cb90d5f09b7fc69db679f684318c129ff804b Mon Sep 17 00:00:00 2001 From: Chandler De Angelis Date: Mon, 22 Jan 2018 11:34:34 -0800 Subject: [PATCH 4/4] Made NSURLCredential the default way to store sensative data in the keychain. --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index da65668..ee0bcc9 100644 --- a/README.md +++ b/README.md @@ -452,9 +452,7 @@ Even in an age where we trust our portable devices with the most private data, a ### Data Storage -If your app needs to store sensitive data, such as a username and password, an authentication token or some personal user details, you need to keep these in a location where they cannot be accessed from outside the app. Never use `NSUserDefaults`, other plist files on disk or Core Data for this, as they are not encrypted! In most such cases, the iOS Keychain is your friend. If you're uncomfortable working with the C APIs directly, you can use a wrapper library such as [SSKeychain][sskeychain] or [UICKeyChainStore][uickeychainstore]. - -There is also a way to store your credentials with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create and store your access token in a `NSURLCredential`, and store that credential in a `NSURLCredentialStorage` instance. You will also need to specify a [NSURLProtectionSpace](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. +If your app needs to store sensitive data, such as a username and password, an authentication token or some personal user details, you need to keep these in a location where they cannot be accessed from outside the app. Never use `NSUserDefaults`, other plist files on disk or Core Data for this, as they are not encrypted! In most such cases, the iOS Keychain is your friend. It is best to store your credentials in the iOS Keychain with [NSURLCredential](https://developer.apple.com/documentation/foundation/nsurlcredential) and [NSURLCredentialStorage](https://developer.apple.com/documentation/foundation/nsurlcredentialstorage). You create and store your access token in a `NSURLCredential`, and store that credential in a `NSURLCredentialStorage` instance. You will also need to specify a [NSURLProtectionSpace](https://developer.apple.com/documentation/foundation/urlprotectionspace), which represents a server or an area on a server, commonly referred to as a realm, that requires authentication. You can persist the credentials in the user's keychain, or for a single request. There are also wrapper libraries such as [SSKeychain][sskeychain] or [UICKeyChainStore][uickeychainstore], that let you interact with the keychain directly, but this is not recommended. When storing files and passwords, be sure to set the correct protection level, and choose it conservatively. If you need access while the device is locked (e.g. for background tasks), use the "accessible after first unlock" variety. In other cases, you should probably require that the device is unlocked to access the data. Only keep sensitive data around while you need it.