OB
Objective-C Security
Objective-C security practices for Keychain, data protection, and secure coding
Details
Language / Topic
Objective-CCategory
Security
Rules
balanced
- Store secrets and credentials in the Keychain using `SecItemAdd`/`SecItemCopyMatching` — never store sensitive data in `NSUserDefaults`, plists, or Core Data without encryption.
- Use `NSFileProtectionComplete` data protection on sensitive files: `[[NSFileManager defaultManager] setAttributes:@{NSFileProtectionKey: NSFileProtectionComplete} ofItemAtPath:path error:nil]`.
- Validate server certificates with `NSURLSession` delegate `URLSession:didReceiveChallenge:completionHandler:` and reject invalid or self-signed certificates in production.
- Use `App Transport Security` (ATS) — keep it enabled and avoid `NSAllowsArbitraryLoads` in `Info.plist` except for development environments.
- Never log sensitive data with `NSLog` — logs are readable from device consoles and crash reports; scrub PII and tokens before logging.
- Use `kSecAttrAccessibleWhenUnlockedThisDeviceOnly` for Keychain items that must not be accessible on other devices or when locked.
- Validate all deserialized data from `NSJSONSerialization` before using it — check types explicitly with `isKindOfClass:` before casting.