Please see the latest git master which uses the keychain. A release
That's great news! My apologies for not checking the git repository once
again before reposting.
On Thu, 2015-08-27 at 13:05 +0200, Leonardo Brondani Schenkel wrote:
> I don't really mean to be pushy, but in February I contributed some
> patches to the iOS version of FreeOTP to make it use the Keychain
> automatic migration of existing data) and I never got any reply or
> Right now since the secrets are stored via NSUserDefaults it's
> to extract the secrets from the app by using any iOS file browser in
> desktop (no jailbreak needed) and they are also stored in
> *cleartext* in
> any unencrypted backups. They are very poorly protected and I feel
> it is very important that this gets addressed and I felt compelled to
> contribute with actual patches. Am I the only one that thinks that
> is a problem?
> // Leonardo
> On 17/02/2015 16:26, Leonardo Brondani Schenkel wrote:
>> Hi Nathaniel,
>> I've changed FreeOTP to use the Keychain to store the tokens (and
>> migrate anything present in NSUserDefaults).
>> The patches are attached and you can also view the changes here:
>> Note that I'm being very conservative and using
>> 'kAccessibleWhenUnlockedThisDeviceOnly', so tokens will only be
>> in the device and will not be able to be transported to any other
>> device nor will be present in any backups. That should make the
>> app be
>> as secure (assuming no security bugs in the iOS platform) as
>> Instead of using the raw Keychain API, which is very cumbersome and
>> hard to use (and read), I've decided to incorporate the FXKeychain
>> wrapper (from here: https://github.com/nicklockwood/FXKeychain
>> has the advantage of keeping TokenStore.m mostly unchanged and it
>> a compatible license — and IMHO its code is pretty readable and has
>> good quality.
>> The commits are small on purpose to make each change easier to
>> Please let me know if you believe something can be improved.
>> On 13/02/15 16:32, Nathaniel McCallum wrote:
>>> On Tue, 2015-02-10 at 21:42 +0100, Leonardo Brondani Schenkel
>>>> Is there any reason why the iOS app the NSUserDefaults
>>>> to store the secrets instead of the Keychain? It's not really
>>>> considered a good practice to use the former to store secrets.
>>> Nope. There isn't really a good reason.
>>>> If there is no strong reason, would a patch that uses the
>>>> Keychain be considered for inclusion into a future release?
>>> Yes, I would consider it. The most important thing is that
>>> be handled smoothly.
>>> Nathaniel _______________________________________________
>>> freeotp-devel mailing list freeotp-devel(a)lists.fedorahosted.org
> freeotp-devel mailing list
freeotp-devel mailing list