SecureDefaults for iOS, macOS
Requirements • Usage • Installation • Contributing • Acknowledgments • Contributing • Author • License
SecureDefaults
is a wrapper over UserDefaults/NSUserDefaults
with an extra AES-256 encryption layer (key size has 256-bit length). It encludes:
- AES-256 encryption
- Password stretching with PBKDF2
- Encrypt-then-hash HMAC
- Password salting
- Random IV
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use. [1]
Motivation
- Avoiding the following behavior https://stackoverflow.com/questions/4747404/delete-keychain-items-when-an-app-is-uninstalled. (Yes, there is still a key, but there is no data)
- Avoiding additional thinking about there is a good place to store a particular value. (choice between Keychain and
UserDefaults
) - Improving a situation with security on the iOS platform. Many apps I've seen didn't use
Keychain
. They store all sensitive data inUserDefaults
(access tokens, passwords, etc)... At least, this can help to make such apps a bit more secured without pain. Perhaps, if this framework is almost the same asUserDefaults
, maybe developers will start using it? - It doesn't look good to keep many simple keys in
Keychain
.
Requirements
- iOS 8.0+
- macOS 10.11+
- Xcode 10.1+
- Swift 4.2+
Usage
It is pretty simple to use SecureDefaults
instead of UserDefaults/NSUserDefaults
. In most cases, it is the same thing that is UserDefaults
. You just need to set a password to make it work.
Replace the following code:
UserDefaults.standard
by this one:
let defaults = SecureDefaults.shared
// Ensures that a password was not set before. Otherwise, if
// you set a password one more time, it will re-generate a key.
// That means that we lose old data as well.
if !defaults.isKeyCreated {
defaults.password = NSUUID().uuidString // Or any password you wish
}
To use the app and keychain groups:
let defaults = SecureDefaults(suitName: "app.group") // Set a shared app group
defaults.keychainAccessGroup = "keychain.group" // Set a shrared keychain group
if !defaults.isKeyCreated {
defaults.password = NSUUID().uuidString // Or any password you wish
}
SecureDefaults
is not able to catch that any particular data is encrypted, to obtain a raw value, use the following method:
public func rawObject(forKey defaultName: String) -> Any?
Installation
CocoaPods
SecureDefaults
is available through CocoaPods. To install it, simply add the following line to your Podfile:
pod 'SecureDefaults', '1.0.5' # Swift 5.0
pod 'SecureDefaults', '1.0.0' # Swift 4.2
Carthage
Add this to Cartfile
github "vpeschenkov/SecureDefaults" == 1.0.5 # Swift 5.0
github "vpeschenkov/SecureDefaults" == 1.0.0 # Swift 4.2
$ carthage update
Swift Package Manager
Create a Package.swift
file.
// swift-tools-version:4.2
import PackageDescription
let package = Package(
name: "YourProject",
dependencies: [
.package(url: "https://github.com/vpeschenkov/SecureDefaults", "1.0.4")
],
targets: [
.target(name: "YourProject", dependencies: ["SecureDefaults"])
]
)
$ swift build
Contributing
- If you need help or you'd like to ask a general question, open an issue.
- If you found a bug, open an issue.
- If you have a feature request, open an issue.
- If you want to contribute, submit a pull request.
Acknowledgments
A big thanks to the following individuals:
- Rob Napier - for this awesome article "Properly Encrypting With AES With CommonCrypto"
- Håvard Fossli - for this awesome Gist "AES 256 in swift 4 with CommonCrypto"
Author
Victor Peschenkov, [email protected]
License
SecureDefaults
is available under the MIT license. See the LICENSE file for more info.