Titanium Community Questions & Answer Archive

We felt that 6+ years of knowledge should not die so this is the Titanium Community Questions & Answer Archive

Is it safe to store cryptographic passwords in my app?

I need to generate a SHA-256 with salt which I will use for each server request to verify the user. Is it safe to store the salt within my app?

I know that Titanium converts javascript to objective-c and that the app IPA file is encrypted. But I also know that you can decrypt an IPA. What happens then? Would it be difficult to find my salt passphrase?

PS - I have ported over a HMAC SHA-256 javascript quite nicely to titanium.

— asked April 16th 2010 by Ryan Gartin
  • cryptography
  • encryption
  • ipa
  • iphone
  • mobile
  • salt
  • sha

2 Answers

  • I would like to know the same, is it safe? Any chance that you would share your HMAC SHA-256 solution?

    — answered July 31st 2010 by Patrik Totero
    • After much research and not very direct answers from Premium Support I decided NOT to use the encrytion. For several reasons.

      1) Firstly, and most importantly, Apple makes a big deal about encrypting anything in your app and there are very strict procedures regarding it.
      2) I chose to use Facebook's authentication where it validates via my server which remotely processes encryption.

      In both cases it was a hassle. If you are using Facebook look into option 2. If you have a username/password to your server, let your server due the encryption.

      Anyone wanting the JS file (SHA+HMAC) to "include" I can provide you with the file. It's just a short function call to do the encrypting. Very easy. Email me at ryan + eagledevelopers.net

      — commented July 31st 2010 by Ryan Gartin
    • Oh and as far as I know, storing the "key" for the encryption will definitely vulnerable if someone goes rummaging around your app's files.

      — commented July 31st 2010 by Ryan Gartin
    • Hmm, well it's not Facebook and I have to sign my request using HMAC SHA-256 encryption to be able to receive any data from the API call. Maybe I'll go for Objective-C programming for this one after all. Anyway, thanks for the reply. I'll drop you an email just to se what I can do.

      — commented July 31st 2010 by Patrik Totero
  • double post

    — answered July 31st 2010 by Patrik Totero
The ownership of individual contributions to this community generated content is retained by the authors of their contributions.
All trademarks remain the property of the respective owner.