Access Tokens Persistence Best Practices (iOS)

Arie Litovsky picture Arie Litovsky · Apr 26, 2011 · Viewed 11.6k times · Source

Should access tokens for services like Twitter and Facebook be encrypted? In particular, should tokens be stored on the the device's Keychain vs. UserDefaults? What are some possible security issues that could arise if a user's device is stolen/taken

This is what I have come up with so far.

Pros of Keychain: Encrypted

Cons: No way to clean up when user removed app

Pros of UserDefaults: Kept inside the app.

Cons: No encryption.

Answer

user23743 picture user23743 · Apr 26, 2011

Your UserDefaults 'con' needs amending: no encryption by default. You can encrypt the content yourself using e.g. CommonCrypto, but it needs additional work over storing the plain text.

The point of an OAuth token is that someone who owns that token can use the relevant service without having to present credentials. Therefore, you should protect it like you would protect the password if you had to store that instead, as it has the same value.

If the user's device is stolen, then unless they have passcode-locked their device the thief has the capability to use your app as the user in either of the situations you describe. If you do not encrypt the access token, then they additionally have the capability to extract that and replay it from code under their control.