Please see the latest git master which uses the keychain. A release
is
forthcoming.
That's great news! My apologies for not checking the git repository once
again before reposting.
// Leonardo.
On Thu, 2015-08-27 at 13:05 +0200, Leonardo Brondani Schenkel wrote:
> Hello,
>
> I don't really mean to be pushy, but in February I contributed some
> patches to the iOS version of FreeOTP to make it use the Keychain
> (with
> automatic migration of existing data) and I never got any reply or
> feedback.
>
> Right now since the secrets are stored via NSUserDefaults it's
> trivial
> to extract the secrets from the app by using any iOS file browser in
> the
> desktop (no jailbreak needed) and they are also stored in
> *cleartext* in
> any unencrypted backups. They are very poorly protected and I feel
> that
> it is very important that this gets addressed and I felt compelled to
> contribute with actual patches. Am I the only one that thinks that
> this
> is a problem?
>
> // Leonardo
>
> On 17/02/2015 16:26, Leonardo Brondani Schenkel wrote:
>> Hi Nathaniel,
>>
>> I've changed FreeOTP to use the Keychain to store the tokens (and
>> migrate anything present in NSUserDefaults).
>>
>> The patches are attached and you can also view the changes here:
>>
https://github.com/lbschenkel/FreeOTP-iOS/compare/keychain?diff=uni
>> fied&name=keychain
>>
>> Note that I'm being very conservative and using
>> 'kAccessibleWhenUnlockedThisDeviceOnly', so tokens will only be
>> stored
>> in the device and will not be able to be transported to any other
>> device nor will be present in any backups. That should make the
>> app be
>> as secure (assuming no security bugs in the iOS platform) as
>> hardware
>> tokens.
>>
>> Instead of using the raw Keychain API, which is very cumbersome and
>> hard to use (and read), I've decided to incorporate the FXKeychain
>> wrapper (from here:
https://github.com/nicklockwood/FXKeychain). It
>> has the advantage of keeping TokenStore.m mostly unchanged and it
>> has
>> a compatible license — and IMHO its code is pretty readable and has
>> good quality.
>>
>> The commits are small on purpose to make each change easier to
>> review.
>> Please let me know if you believe something can be improved.
>>
>> Cheers,
>> Leonardo.
>>
>> On 13/02/15 16:32, Nathaniel McCallum wrote:
>>> On Tue, 2015-02-10 at 21:42 +0100, Leonardo Brondani Schenkel
>>> wrote:
>>>> Hi,
>>>>
>>>> Is there any reason why the iOS app the NSUserDefaults
>>>> mechanism
>>>> to store the secrets instead of the Keychain? It's not really
>>>> considered a good practice to use the former to store secrets.
>>
>>> Nope. There isn't really a good reason.
>>
>>>> If there is no strong reason, would a patch that uses the
>>>> Keychain be considered for inclusion into a future release?
>>
>>> Yes, I would consider it. The most important thing is that
>>> upgrades
>>> be handled smoothly.
>>
>>> Nathaniel _______________________________________________
>>> freeotp-devel mailing list freeotp-devel(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/freeotp-devel
>>
>>
>>
>
>
> _______________________________________________
> freeotp-devel mailing list
> freeotp-devel(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/freeotp-devel
_______________________________________________
freeotp-devel mailing list
freeotp-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/freeotp-devel