Chapter 5. Storing Confidential Data in the Keychain


  • What the keychain is

  • Why use the keychain

  • How to use the keychain on the Mac and iPhone

Both Mac OS X and the iPhone OS provide a keychain, a service for storing, retrieving, and manipulating secret information — in fact, the Classic Mac OS also provided a keychain. In addition to providing developers with a common way to securely deal with confidential assets, the Keychain Access utility gives users a single entry point for configuring and managing their secrets. Applications that take advantage of the keychain make it easy for users to understand how their passwords and other confidential information are used.


Passwords are dangerous pieces of information. Access to a user's password for a service allows an attacker to pose as that user to the service protected by the password. Remember the categorization in Chapter 1 of spoofing, tampering, repudiation, information leak, denial of service and elevation of privilege (STRIDE). A leaked password allows a spoofing attack, under which the attacker can view protected data (information disclosure) and modify it (tampering), potentially with elevated privileges. If you consider that the attacker can probably now choose to terminate the account he's logged in with, and that he appears to be acting as the user, a password loss comes under the repudiation and denial of service categories, too. One attack that checks all the threat boxes!

Unfortunately, ...

Get Professional Cocoa® Application Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.