I have a iOS application that I'm developing and the application must be bundled with a certificate in order to use the application since it makes use of webview and the site can not be accessed without the certificate.
I currently have a working solution but I noticed that when unzipping the .ipa file and looking into the code, I can see the password for the certificate very clearly as you can see from this line from the compiled code:
lastSampleTimeMainjsbundlecertificatep12PASSWORDHEREGCDAsyncSocketErrorDomain
A short code snippet of how I am retrieving the certificate:
[[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];
NSData *p12Data = [[NSData alloc] initWithContentsOfFile:p12Path];
CFStringRef password = CFSTR("somePassword");
Is there any safe way to handle this type of scenario? Or will the password always be retrievable if it falls into the hands of someone who knows what he's doing.
A simple solution might be to just obfuscate the string, creating the password string from a byte-array, but that's still not very safe.
Some explanation here.. also to consider, loading the password to a string should be avoided, as it could be read from the heap at runtime: https://stackoverflow.com/a/8881376/20283130