I have a iOS application that I'm developing and the application must be bundled with a certificate in order to use the application since it makes use of webview and the site can not be accessed without the certificate.

I currently have a working solution but I noticed that when unzipping the .ipa file and looking into the code, I can see the password for the certificate very clearly as you can see from this line from the compiled code:

lastSampleTimeMainjsbundlecertificatep12PASSWORDHEREGCDAsyncSocketErrorDomain

A short code snippet of how I am retrieving the certificate:

[[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];
 
 NSData *p12Data = [[NSData alloc] initWithContentsOfFile:p12Path];
 CFStringRef password = CFSTR("somePassword");

Is there any safe way to handle this type of scenario? Or will the password always be retrievable if it falls into the hands of someone who knows what he's doing.

CodePudding user response：

A simple solution might be to just obfuscate the string, creating the password string from a byte-array, but that's still not very safe.

Some explanation here.. also to consider, loading the password to a string should be avoided, as it could be read from the heap at runtime: https://stackoverflow.com/a/8881376/20283130

CodePudding user response：

Use the Keychain API.

https://developer.apple.com/documentation/security/keychain_services

That's the standard way to protect API_KEYS, Certs., Even Username and Passwords.

It's simple and compatible with Objective-C

EDIT: For Certificates: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates/storing_a_certificate_in_the_keychain