Titanium Community Questions & Answer Archive

We felt that 6+ years of knowledge should not die so this is the Titanium Community Questions & Answer Archive

Is it safe to store cryptographic passwords in my app?

I need to generate a SHA-256 with salt which I will use for each server request to verify the user. Is it safe to store the salt within my app?

I know that Titanium converts javascript to objective-c and that the app IPA file is encrypted. But I also know that you can decrypt an IPA. What happens then? Would it be difficult to find my salt passphrase?

PS - I have ported over a HMAC SHA-256 javascript quite nicely to titanium.

— asked April 16th 2010 by Ryan Gartin
  • cryptography
  • encryption
  • ipa
  • iphone
  • mobile
  • salt
  • sha
0 Comments

2 Answers

  • I would like to know the same, is it safe? Any chance that you would share your HMAC SHA-256 solution?

    — answered July 31st 2010 by Patrik Totero
    permalink
    3 Comments

    • After much research and not very direct answers from Premium Support I decided NOT to use the encrytion. For several reasons.

      1) Firstly, and most importantly, Apple makes a big deal about encrypting anything in your app and there are very strict procedures regarding it.
      2) I chose to use Facebook's authentication where it validates via my server which remotely processes encryption.

      In both cases it was a hassle. If you are using Facebook look into option 2. If you have a username/password to your server, let your server due the encryption.

      Anyone wanting the JS file (SHA+HMAC) to "include" I can provide you with the file. It's just a short function call to do the encrypting. Very easy. Email me at ryan + eagledevelopers.net

      — commented July 31st 2010 by Ryan Gartin

    • Oh and as far as I know, storing the "key" for the encryption will definitely vulnerable if someone goes rummaging around your app's files.

      — commented July 31st 2010 by Ryan Gartin

    • Hmm, well it's not Facebook and I have to sign my request using HMAC SHA-256 encryption to be able to receive any data from the API call. Maybe I'll go for Objective-C programming for this one after all. Anyway, thanks for the reply. I'll drop you an email just to se what I can do.

      — commented July 31st 2010 by Patrik Totero

  • double post

    — answered July 31st 2010 by Patrik Totero
    permalink
    0 Comments
The ownership of individual contributions to this community generated content is retained by the authors of their contributions.
All trademarks remain the property of the respective owner.