I am trying to securely store passwords in Keychain while requiring user presence (through Touch ID) to access them.
According to docs, this can be achieved by setting “Access Control Constants like kSecAccessControlUserPresence on their keychain entry”.
I have no clue how this is done.
Related
I am generating a random strong password for every user and want the user to use the same password for accessing the application, since the password is going to be hard to remember I wish to store the same in the keychain so it is easy to access.
Of course you can, you must be looking for nativescript-secure-storage plugin.
tns plugin add nativescript-secure-storage
I am developing a macOS application. I am creating my own keychain. The keychain file is stored at a particular location on the Disk. Every time I launch the application, I have to write and read data from this keychain.
I am unable to find the correct way to add items to this particular keychain. I am using SecItemAdd(). I want to specify to which keychain SecItemAdd() should add the item.
Have you tried SecKeychainSetDefault? From it's description:
In most cases, your application should not need to set the default keychain, because this is a choice normally made by the user. You may call this function to change where a password or other keychain items are added, but since this is a user choice, you should set the default keychain back to the user specified keychain when you are done.
Of course you will need other calls to obtain the SecKeychainRef argument this call requires etc., e.g. SecKeychainOpen, SecKeychainCopyDefault.
HTH
I logged in keychain on my MacBook Pro El Capitan and click to show password but I get it encrypted like image below or XML like the other image. I can't figure out where the problem is. My password is correct and keychain is unlocked with it. So why it gives me the protected password or XML!
It's because it's not a password you typed but an application-made credential. The contents of a keychain item is not always a password you typed, and often in the case of Apple and other Cloud systems it's a token or OAuth ID that simply represents the fact that at some point you logged in somewhere and allowed a computer or app to access your account. From that point forward the app or computer you authorised uses a special key or token to act on your behalf.
The reason this is done is twofold:
Security: your password isn't stored and therefore can't really be 'stolen'. Since the token can be revoked from the other side (i.e. from your Apple ID or Google account) and usually is only valid for a specific computer it's not something you can 'steal' and use elsewhere as-is. It is still sensitive information that can be used to impersonate the trust between your account and the computer.
Ease of use (or, automation): if the application or computer you authorised needs to act on your behalf, it would be annoying to retype your password all the time. Using a special kind of authentication allows the computer or app to do certain things on your behalf, but not every possible action as there usually are limits to how many things it's allowed to do in your name before you have to re-authorise the ID with your password. So while your Apple ID can be used to receive iMessages once you are logged in, that same token won't allow some other app to 'read' your stored credit card information or change your email address.
Long story short: it's not a password (it's a token), it's not for you (it's for computers), it's a 'special ID' and it's for the apps that added it to the keychain to function in your name.
I have exact the same problem as describe here:
"User interaction is not allowed" trying to sign an OSX app using codesign
So now I want to change the private key access control to Allow all applications to access this item. When I check this option everything looks fine; I've been asked to enter the administrator password and after that the windows closes.
But when I check the Access Control of the key again the other option is checked again; only allow list of applications...
Already found a solution:
Remove the cert/key from System.
Add the cert/key to login and change the Access Control (changing here worked...).
Copy the cert/key to System. The access control is as it should be.
As in, when I install an add-on, and Firefox restarts, it should accept a password (only the first time when installing). And when the user wants to disable or remove the add-on, it will only comply upon entering the same password? In which part would the code be kept?
You cannot. Even if you disable add-on uninstall - the user can always close the browser and remove the extension manually (removing the directory on disk will do).
That said, the secure way of storing passwords is the login manager. They will be stored encrypted on disk if the user defines a master password. Of course, the user himself can always see the stored passwords (under Options / Security / Saved Passwords). So you probably want to store a salted hash of the password rather than the password itself.
You can also use AddonManager.addAddonListener() to get notified whenever an add-on is being disabled or uninstalled. You can cancel the action by calling addon.cancelUninstall() or setting addon.userDisabled = false.
The above is merely for reference - it won't really help you achieve your goal.