Security for iOS

A look at security configuration for Brand Messenger on iOS

Encryption Delegate

iOS SDK's default storage for secure tokens

The iOS SDK receives and sends secure tokens and passwords during its login and lifecycle as shown in the Authentication section. Without custom implementation, the iOS SDK stores these tokens and passwords into the Keychain using iOS's default Security framework.

The SDK offers a way to bypass this default behavior if the customer chooses to implement their own storage solution for the tokens and passwords.


BrandMessengerManager class has a setEncryptionDelegate method which once implemented, will hand off the storage of the auth-token KBM_USER_AUTH_TOKEN, password KBM_PASSWORD and device-key KBM_DEVICE_KEY to the delegate instead of handling them inside the SDK.

class ExampleClass: NSObject, KBMEncryptionDelegate {
    init() {

    func putSecureValue(withKey key: String!, withValue value: String!) -> Bool {
        // return false if app failed to store value
        return true
    func getSecureValue(withKey key: String!) -> String! {
        return ""
    func hasSecureValue(withKey key: String!) -> Bool {
        return false
    func clearAll() {
@interface ExampleClass: NSObject <KBMEncryptionDelegate>


@implementation ExampleClass
-(void)init {
    [BrandMessengerManager setEncryptionDelegate:self];


- (void)putSecureValueWithKey:(NSString *)key withValue:(NSString *)value {

- (NSString *)getSecureValueWithKey:(NSString *)key {
    return @"";

- (bool)hasSecureValueWithKey:(NSString *)key {
    return false;

- (void)clearAll {


Certificate Pinning

The SDK has certificate pinning disabled by default. When turned on, Authentication-Handler and Messaging endpoints are pinned. When turned on, the SDK will need to be regularly updated as the public keys will be expired and replaced on regular intervals. Please contact Khoros to find out more detail.

Enabling pinning

The default pinning is through public-keys, and can be enabled as follows


If the customer has a need to provide their own public-keys, they can use the following

BrandMessengerManager.setPinningCertificatePublicKeys(["key 1", "key 2"])

Customizing the domains

The base urls of the pinned endpoints (Authentication Handler and Messaging) can be customized. This must be done before enable-pin code above is run.

// Messaging endpoint

// Authentication Handler endpoint.