Let’s say I need to access a web service from an iPhone app. This web service requires clients to digitally sign HTTP requests in order to prove that the app “knows” a shared secret; a client key. The request signature is stored in a HTTP header and the request is simply sent over HTTP (not HTTPS).

This key must stay secret at all times yet needs to be used by the iPhone app.

So, how would you securely store this key given that you’ve always been told to never store anything sensitive on the client side?

The average user (99% of users) will happily just use the application. There will be somebody (an enemy?) who wants that secret client key so as to do the service or client key owner harm by way of impersonation. Such a person might jailbreak their phone, get access to the binary, run ‘strings’ or a hex editor and poke around. Thus, just storing the key in the source code is a terrible idea.

Another idea is storing the key in code not a string literal but in a NSMutableArray that’s created from byte literals.

One can use the Keychain but since an iPhone app never has to supply a password to store things in the Keychain, I’m wary that someone with access to the app’s sandbox can and will be able to simply look at or trivially decode items therein.

EDIT – so I read this about the Keychain: “In iPhone OS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application.”

So perhaps this is the best place to store the key…. If so, how do I ship with the key pre-entered into the app’s keychain? Is that possible? Else, how could you add the key on first launch without the key being in the source code? Hmm..

EDIT – Filed bug report # 6584858 at http://bugreport.apple.com

Thanks.