Security for iOS
A look at security configuration for Brand Messenger on iOS
Encryption Delegate
iOS SDK's default storage for secure tokens
The iOS SDK receives and sends secure tokens and passwords during its login and lifecycle as shown in the Authentication section. Without custom implementation, the iOS SDK stores these tokens and passwords into the Keychain using iOS's default Security framework.
The SDK offers a way to bypass this default behavior if the customer chooses to implement their own storage solution for the tokens and passwords.
KBMEncryptionDelegate
BrandMessengerManager class has a setEncryptionDelegate method which once implemented, will hand off the storage of the auth-token KBM_USER_AUTH_TOKEN
, password KBM_PASSWORD
and device-key KBM_DEVICE_KEY
to the delegate instead of handling them inside the SDK.
class ExampleClass: NSObject, KBMEncryptionDelegate {
init() {
BrandMessengerManager.setEncryptionDelegate(self);
}
...
func putSecureValue(withKey key: String!, withValue value: String!) -> Bool {
// return false if app failed to store value
return true
}
func getSecureValue(withKey key: String!) -> String! {
return ""
}
func hasSecureValue(withKey key: String!) -> Bool {
return false
}
func clearAll() {
}
}
@interface ExampleClass: NSObject <KBMEncryptionDelegate>
@end
...
@implementation ExampleClass
-(void)init {
[BrandMessengerManager setEncryptionDelegate:self];
}
...
- (void)putSecureValueWithKey:(NSString *)key withValue:(NSString *)value {
}
- (NSString *)getSecureValueWithKey:(NSString *)key {
return @"";
}
- (bool)hasSecureValueWithKey:(NSString *)key {
return false;
}
- (void)clearAll {
}
@end
Certificate Pinning
The SDK has certificate pinning disabled by default. When turned on, Authentication-Handler and Messaging endpoints are pinned. When turned on, the SDK will need to be regularly updated as the public keys will be expired and replaced on regular intervals. Please contact Khoros to find out more detail.
Enabling pinning
The default pinning is through public-keys, and can be enabled as follows
BrandMessengerManager.enableDefaultCertificatePinning()
If the customer has a need to provide their own public-keys, they can use the following
BrandMessengerManager.setPinningCertificatePublicKeys(["key 1", "key 2"])
Customizing the domains
The base urls of the pinned endpoints (Authentication Handler and Messaging) can be customized. This must be done before enable-pin code above is run.
// Messaging endpoint
KBMUserDefaultsHandler.setBASEURL("brandmessenger.khoros.com")
// Authentication Handler endpoint.
KBMUserDefaultsHandler.setCustomAuthHandlerUrl("messaging-auth.khoros.com")
Updated 11 months ago