Saving data in iOS keychain

Where should you store users data? This is one of the most popular and hot topics about users data security in mobile development. Unfortunately, it’s still without one good practice. Sometimes there is a situation when your back-end team doesn’t implement the solution to allow storing credentials in a device in hashes or you need to have more than one account saved on the device🤔.

In this post, I would show you what is it exactly the keychain in the iOS system, how to use it to store data and some best practices according to storing sensitive data on the device. Sound good👍? Let’s go🚀!

What is keychain?

iOS system has an interesting thing called key chian🔐. The keychain is just a data storage for storing all sensitive data, like passwords, certificates etc.

Second question — why is it safe? Because the keychain is using comprehensive encryption. It means that data stored in it are secured with a key. The key is generated on the basis of unique device data and code for this device — known only for the owner. Minimum encryption algorithm there is 128-bit AES.

Since 2016 Apple has turned on the service called iCloud keychain, which means that the user is able to share his keychain between his devices within one AppleID.

Hm… looks like everything is flying and synchronizing using TLS encryption in 1.2 version, but after all my awareness that a file with all my credentials is somewhere on Apple servers does not fill me with joy. I’m not sure to this solution, but I’m letting it for your choice.

More information about keychain itself there is available on Apple support channel here: https://support.apple.com/en-us/HT202303

What to store in key chian🔐?

Keychain is the only relatively safe place to store sensitive data. Presumably, you hold the configuration data of your app in UserDefaults. But you have to remember that this is not the safe place for storing the sensitive data there, because it’s quite easy for a hacker to stole it (it’s enough to have an access to the device). It’s not that easy with keychain, which could be break only with user’s password.

Ok, so which data should we store in keychain?

  • logins and passwords (hashes)
  • payment data
  • keys for encrypting algorithms
  • if I remind myself something more I would add it 😎

Storing data in keychain has one more advantage — in a case when the user decides to remove the app from the device and then he decides to install it again, the data is still saved (of course if the user does not remove it by hand 😅).

Access to keychain

Ok, time for some code! Access to the keychain is simple to implement. Almost whole work Apple made for us ➡️ you have to just download the sample code from here 👉 https://developer.apple.com/library/content/samplecode/GenericKeychain/Introduction/Intro.html and then paste it into your project structure. I always add an extra struct to keychain configuration:

Ok, the arsenal is ready to use 🔫. First, we will care about saving data in the keychain.

NOTE: In this post, I focus just on using keychain so that I’m saving data as a plain text. But you have to remember about storing data in encryption format.

Function setPasswordToKeychain() creates new keychain object for our login and then saves the password with method savePassword(). This function could throw the error so that I’m using docatch structure.

Ok, it works fine 😁. Now I want to download the password from keychain for the username. I’m creating function getPassword():

func getPassword(forUser user: String) -> String? { }

The case is easy — method gets user’s login as a parameter and then it returns the password form keychain or nil if the username has no password stored.

And that’s it, it works! As I mentioned before I show you just a method to saving and reading data from the keychain. Remember that you should secure your data i.e. with implement of TouchID or some extra encryption.

What does can the keychain more?

If you are inquisitive (as a dev you should be 😁) I suppose that you have looked in copied support file from Apple.

As you have seen there are more functions which shows what the keychain can more. Except saving and reading password, the keychain allows you to change account name (user’s login):

mutating func renameAccount(_ newAccountName: String) throws

or remove the whole object:

func deleteItem() throws

Using keychain is quite easy and don’t require more and more coding work. One more best practice — do not hard-code any data like password and algorithm’s keys. This data should be different for every device and should be generated at runtime, i.e. it could be a hash of first auth token get from a server.

About encryption there will be a separate article.

Summary

Conclusions are simple — do not store passwords on the device if you don’t have to. But if you do 👉 use keychain and couple of encryption techniques.

According to keychain itself — as you have seen it doesn’t need so much coding and some mystery knowledge. Security is still the hot topic in IT world so that you should pay so so much attention to ensure the safety of your user’s data.

Thanks for visit and reading 👍. Please let some feedback on this article. You can catch me on social:

See you next time!

Jakub Kornatowski