Creating Secure iOS App — Part 1

Local Data Storage risks

Insecure local data storage practices makes the app vulnerable when sensitive data is stored locally without proper security measures. Example of sensitive data which could be dangerous if stored locally without appropriate measure are:

1. User Name / Password
2. Session token / Authorization token
3. Users PII
4. Transaction ID
5. Location details
6. App API’s

Most common local storage mechanism are not secure way to store the sensitive data. Here is why:

1. Plist file: Plist is one way to save the data locally using key/value pair method. It’s not secure as it’s not encrypted and can be accessed thru apps sandbox folder from jailbroken device
2. UserDefaults: This another common way to store data locally but problem is same as plist as UserDefault API stores data in plist format and unencrypted.
3. CoreData: Coredata is used for storing good amount of data in SQL format. Problem is it’s not encrypted and can be accessed thru some tools on jailbroken devices

So what’s secure way to store the sensitive data on device? It’s Keychain. Data is encrypted before being stored in keychain and it follows Apple standard encryption mechanism. This avoids developer to implement complicated encryption process for securing data. Also it allows to add two factor authentication with biometrics authentication, like TouchID, FaceID, etc.

Finally, It’s always advisable to not save password locally as even local encryptions can also be bypassed on jailbroken device with some advanced tools.