CodeBucket icon indicating copy to clipboard operation
CodeBucket copied to clipboard
verified publisher icon thedillonb

Insecure password storage

Open mxsasha opened this issue 12 years ago • 3 comments

The username and password of the configured account are stored in a SQLite database. The database file does not use iOS' data protection, so it is readable to anyone with physical access to the device.

The best solution would be to store the password not in SQLite, but in the Keychain, which was designed exactly for this purpose.

mxsasha avatar Sep 09 '13 11:09 mxsasha

Great point. I will use your suggestion and store it in the keychain. This will be in the next release.

thedillonb avatar Sep 10 '13 17:09 thedillonb

Hey @thedillonb just checking if this is being worked on? If not I'll check it out

jai avatar Jul 24 '16 11:07 jai

No this is not being worked on. I had originally de-prioritized this due to the fact that the app is now using token based authentication that requires a token refresh every hour so the only thing you could extract from the device would be expired tokens - unless you lost your device and somebody found it and immediately extracted it within an hour.

Regardless, you're welcome to work on it. There's some code already in the AppDelegate.cs around keychain access so you might be able to leverage that code.

Thanks for your help!

thedillonb avatar Jul 24 '16 14:07 thedillonb