Where is the private key stored ? about pgpro HOT 5 CLOSED

All the data is stored locally using Apple's native Core Data framework. Therefore the keys are stored encrypted and on your device only.

Does this clarify your question?

from pgpro.

Yes, thanks. Good to add it to the documentation, as it is a central question for such an app.
--> I am no expert at all in iOS dev nor in security, but I came across this post: https://security.stackexchange.com/questions/147312/is-data-stored-in-core-data-on-ios-secure
and wonder if storing the private key in the keychain would be more appropriate ?

from pgpro.

I did consider storing the private keys in the iOS Keychain. What made me decide against it, is that Apple encourages users (maybe it's even the default?) to sync the Keychain via iCloud.
While this happens end-to-end encrypted, one cannot be certain that Apple doesn't (have to) have a master key.

(This is also the reason why there is currently no option to "remember" the passphrases for private keys.)

That said, I am open for discussion on this topic.

from pgpro.

Indeed, the 'weak' point will be if and when data is stored on iCloud, either the Keychain or CoreData database.
It would be interesting to compare how other crypto apps did address this (e.g. https://github.com/status-im).

from pgpro.

It seems that status-im they is using the Keychain and bind the keychain to the device, so to prevent that it can be accessed on iCloud at all:
https://github.com/status-im/status-react/blob/develop/src/status_im/utils/keychain/core.cljs
--> https://developer.apple.com/documentation/security/ksecattraccessiblewhenpasscodesetthisdeviceonly

from pgpro.