I have a MacOS app coded in swift, and when someone right clicks > show package contents there is a file that reveals some information I do not want the user to see. Is it at all possible to hide that file?
There's no way to secure data on the client (mac) side. If your program can read something, so can a hacker. You can do 3 things about it:
Make it obfuscated enough to make it annoying to deal with, hoping that bad actors would get discouraged.
Make the reward of reading the sensitive data lower, so there's less incentive to do so
Make the sensitive data be black boxed by a server you control and have secured, and have all the sensitive operations be out-sourced to computation on that secure server.
No, you can't hide files in a meaningful way.
If you name the file starting with a dot (".") they are not shown in the Finder by default, but that's very easy to get around.
Better to encrypt the file and decrypt it in your app. That way nosy users can see the file but can't make any sense out of the contents.
Related
I have an iOS application, which stores all downloaded *.pdf files in its cache. Is there a way to prevent this data from extracting? Encryption or something else? Thanks in advance.
There are quite a few ways to encrypt files, and I'm sure everyone will have an opinion on the best way to do so.
In a project I've recently been working on, we've been using CommonCrypto (https://github.com/AlanQuatermain/aqtoolkit). Just take any NSData, encrypt it, and save it to a file, and vice versa. You can even write an easy Transformer by subclassing NSValueTransformer, which abstracts all of the encryption to one spot and you will never have to worry about it again.
You can protect PDF files with a password. I assume you create the PDF files not within the application but externally. For example you can use Preview.app in Mac OS X to secure existing PDF files with a password (Hit Cmd-P, then select PDF in the print menu and there you can set security options. Or even more simple: in the menu choose Export...).
In iOS you can then open the PDF files like this:
CGPDFDocumentRef documentRef = CGPDFDocumentCreateWithURL((__bridge CFURLRef)[NSURL fileURLWithPath:filePath]);
if (!CGPDFDocumentIsUnlocked(documentRef))
CGPDFDocumentUnlockWithPassword(documentRef, password);
...
There are actually 2 Documents folders in which your app can store content. One can be extracted, and one is private. Check the accepted answer in this ticket.
Access files in "private Documents" folder transferred with iTunes
Assuming you want the PDF files from getting extracted on jailbroken devices, the most straight forward approach would be along the following lines:
generate a random string during the first launch of the app
save the random string either in NSUserDefaults in state file inside your own app's sandbox
using this random string create a secret key using a deterministic but hard to figure out algorithm
use this secret key, which you don't store anywhere but always generate on demand, symmetrically encrypt your buffer with AES or something similar
You would probably find the source code here very helpful.
I need to code in authentication information for specific parts of my website into my app. Is it at all possible for the app to be "decompiled" and the username and password exposed?
NSURL *url = [NSURL URLWithString:#"https://predefinedUsername:predefinedPassword#www.website.com"];
Yes, it is possible. Assume that if you have anything compiled into your app, it can [and will] be discovered by someone somewhere. Even if it isn't possible today, you are creating a frozen record of such information that will be vulnerable to any future attacks, known or unknown.
You really need the user to perform some task that authenticates them. There are a million and one ways to do that, and for every one of those, a million and two ways to do it wrong. :)
Without knowing more about your specific requirements, it is impossible to really say much more outside of "keep it simple and don't store or send anything in clear-text".
As #Hyperbole said, If you store the username and password in plain text it will be visible in the executable. It is extremely trivial to examine the executable for strings, and it's usually the first thing someone with malicious intent will try.
Right click on any app you've downloaded in iTunes and select show in finder. Make a copy of the app on your desktop and rename the app from AppName.ipa to AppName.zip. Double-click to unzip it, and look inside the folder. Navigate to the folder Payload and then right click on the (probably only) file in there called AppName that looks like an application but has a big circle with a cross through it for the icon. Select show package contents. Scroll through until you find a file called AppName with no extension and a blackish rectangle with the green word "exec" as an icon. Open that file in text edit or another text editor. You'll find that most of this ends up being random symbols and other crap, but you should occasionally see some plain text. The compiler takes string constants and embeds them directly in the app when you compile it in most cases.
You asked about what magazine apps and others do to access content - There are a ton of different ways to do it but off the top of my head, after the server verifies your in-app purchase receipt, the server would record an identifier specific to your iTunes account, saying that you've purchased a specific issue of the magazine. Then your app can request that file from the server, adding the identifier to the request in the process. The server would respond with the file once it looks through the database and determines that you've purchased the content.
Other solutions include signing/hashing a unique key.
Your example would expose the username and password without the need to decompile as you send it via plain text in a URL request. Anyone with a sniffer or MITM service yould snatch it out of the air. A better approach would be to make use of SSL via the http*s* protocol. You could go a step further and either prompt at runtime for the credentials and/or store an encrypted version within the app.
This is very bad because it is trivially easy to recover these credentials just by running 'strings' against the app binary without needing to decompile it.
Can't you pop up a dialogue box asking the user to enter the credentials when they first start the app ? Alternatively you could store them encrypted in a file and then ask the user for an alternative credential e.g. Passcode that derives the key but even this will not survive a determined attack unless the Passcode is long.
any recommendations for saving four strings into an own file format that is read by the application and can be shared?
In my app, you will be able to enter some text in some boxes and the app shows a view with an background image and those strings. Now, I am already able to save this as a picture, but I actually want to save it to an own file format so that you can save different files that can be modified afterwards as well or even exchanged via email and opened from another iphone with the app.
Now, I wrote the code for accessing the documents folder of the app, as well as saving and deleting. Thing is, i dont know how to store those strings in a file (perhaps in a xml?) and read them easily afterwards from my application.
For the exchanging part, I found that link which would be a nice feature indeed: http://iosdevelopertips.com/cocoa/launching-your-own-application-via-a-custom-url-scheme.html
Parsing xml seems not that difficult (never done it before): http://ipad.about.com/od/iPad-App-Dev/a/How-To-Parse-Xml-Files-In-Xcode-Objective-C.htm
If it's only a small bit of infomation then the easiest way to store your data in a file would be using a plist - there's a good tutorial here - http://www.icodeblog.com/2009/02/14/loading-data-from-plist-files/
In addition to the plist, you could also do the following approaches:
1) simplest - open a file in your documents directory, write the 4 strings (using whatever delimiter/end of string marker is useful - carriage return?) and overwrite them each time through. (i.e. it's your file, you can format it how you like)
2) mildly harder - use Apple's NSArchive to pack and unpack the strings.
3) possible overkill - store them directly in a SQLite database
4) major overkill - store them in CoreData.
Of course, the "overkill" options also provide you with extra features which may be of use if your app functionality extends beyond what you've outlined.
By sharing, I would think that simple copy and paste might be enough, but there's also sending it via email, or tripping another app's URL scheme to make it open it and sending the strings as part of the URL. You'd have to know that the other app would be able to interpret your strings as part of the URL, so you might have to write it yourself.
Okay guys I found that very nice method in the NSString documentation:
–writeToFile:atomically:encoding:error:
I think I am gonna separate my strings by /n and save them to a .txt. When I am gonna read the file afterwards, i am getting the string, divide it to substrings. That will do it, I guess.
One last question: Is it possible to replace the content of my file so that I won't need to create a new file every time i want to change something?
Thanks!
I have a perl script which when run from the command line generates a text file of data with a specific format for use by another application. The script also prints informational warning messages on stderr. I'm writing a web front end for this. In an ideal world when the user clicks 'submit' on the associated form, a page would be displayed in the browser containing the informational messages, and simultaneously a pop-up would appear allowing the user to save the text file of data to disk. I would like this to work on browsers without javascript enabled, so I think exactly what I want is probably not possible.
Some sites I have seen deal with this kind of thing by displaying the page with the informational messages, and a link to the file to be downloaded. This would seem to mean having to store the files and sorting out some sort of security so that another user cannot download your file (not that this is a big deal for the application in question).
I'm wondering if there is a more elegant way of dealing with this? e.g Is it possible to use multipart messages to somehow achieve returning both pieces of information in one go? Is it possible to pop-up a second window with the informational messages without using javascript? Apologies if these seem like basic questions - my programming knowledge is in the domain of DNA sequence manipulation algorithms rather than web page generation..
If (and only if) the data is quick and easy to generate, do it once for error messages and a second time for download. The link or button of the error-message page would regenerate the results and prompt for download.
This is a bit of a hack since you need to consider what to do if the underlying data changes before the user hits the download link. Be careful to set the header correctly for file download vs normal webpage, eg,
if($submit) {
print header(-type=>'application/octet-stream',
-Content_disposition=>'attachment; filename=foobar.dat');
Gen_Results();
}
To be honest, I'd just use a little javascript anyway since it's a pretty safe assumption now a days. Otherwise, use a "noscript" tag for some alternative.
I need to prevent a document from being saved / saved as (say from ms word). I've looked around and I havn't quite found a satifying answer. I've considered EFS... but I don't think it prevents the user from saving the document as... (though it prevents access to the original source file). Any ideas outthere?
Run it on completely locked-down system with read-only disk, no network and no removable drives. Access to the computer must be phisically restricted as well.
This should prevent Save As from working, but still won't prevent document from being copied (someone may take photo of the screen and OCR it).
It usually isn't worth it to disable Save As, because you need access to the original in order to open it in the first place. There are always ways to copy a file.
I had the same issue come up when someone asked me to disable Save As for a PDF.
There is no way take an arbitrary document and modify it in such a way that it cannot be saved. You could modify a program such as Word not to allow Save or Save As but that would still allow someone to open and save the document with a different program or on a different machine.