search

realm / realm-loginkit

A generic interface for logging in to Realm Mobile Platform apps
Apache License 2.0
74 stars 21 forks source link

Clear text password stored on disk #30

Closed icanzilb closed 7 years ago

icanzilb commented 7 years ago

Currently the lib isn't usable in production since it stores the password in NSUserDefaults. There is an existing issue proposing to use an encrypted Realm: https://github.com/realm-demos/realm-loginkit/issues/24 but it sounds like it's more of a "nice to have" instead of a must.

The lib needs to either store the password in the Keychain or use another more secure approach

TimOliver commented 7 years ago

I'm curious as to why you opened a new issue instead of adding a comment to that existing issue. XD

Yeah, the original design intent of this login controller was for demo apps, where the password was more often than not going to simply be password. I'm working on slowly making it a production ready library for actual shipping apps, for both Realm and third party users, but the current priority is adapting the logic to allow additional authentication methods with it.

icanzilb commented 7 years ago

The referred issue was saying it'd be "somewhat nicer" to fix this and it wasn't assigned to anyone, so it wasn't clear if that's going to be addressed or not. If you feel this is already being tracked over there - just close this issue 👍

TimOliver commented 7 years ago

Yeah, I should have worded that nicer, sorry! I'll update the original issue to increase its urgency.

It's on my list. :) I'm planning to overhaul that system so a history of past ROS credentials can be brought up (which will definitely be encrypted)!

icanzilb commented 7 years ago

Thanks Tim 👍