I utilized the realm encryption example to make a Key and encrypt the Realm database. Then I used the Realm().writeCopyToPath(_:encryptionKey:) to make a copy to ship with my app as indicated by the documentation. I believe its my lack of knowledge in encryptions, but how does a shipped app know the encryptionKey when the user downloads the application for the first time as the key was stored in the keyChain. I assume that hardcoding the encryptionKey is a bad idea so I was wondering what the correct approach to doing this was. Thank you for your time.
It's the lack of general technical feasibility, which makes it hard to come up with a solution. When you ship encrypted prepopulated data, you have to include the encryption key as well, which means in effect that the data is not secure anymore because security by obscurity doesn't really work.
If you have some data to prepopulate, which you wouldn't consider to be sensitive, but want to store sensitive user data in your Realm, then I'd recommend loading the plain bundled data from a separate read-only Realm instance and use writeCopyToPath(_:encryptionKey:) at runtime, with a randomly generated key, you can place in the user's keychain.
While if you're afraid that e.g. your level data for your game will be stolen on a jailbroken device, where you can't count on the FairPlay encryption, bundling an encrypted Realm gives you another level of hardening for a possible "attacker". But you should make sure that you obfuscate the encryption key when you integrate it.
Depending on your use-case, you can use one of both ways or combine them both.
Beside that there is a CocoaPods plugin cocoapods-keys, which is a popular way with some great ideas how to manage encryption keys while development.
Related
I want to store some keychain information (credentials and one or two details), and ACSimpleKeychain was recommended to me as a simple implementation that would be easy to use.
Furthermore, I would like several apps in a family to be able to use the same credentials: it's a nice-to-have and not a necessity, but I would like to store keychain information securely and have several almost-isomorphic apps aware of the same information.
I see that the .plist file includes com.foo.${PRODUCT_NAME:rfc1034identifier}, and was wondering two things:
First, if I set all apps' bundle identifier to com.foo.common, will this put them on the same page as far as keychain credentials?
Second, is such a replacement, meaning non-unique bundle identifiers, risky territory or bad engineering?
Storing credentials securely is what I most need and I believe that ACSimpleKeychain will do what I want.
The nice-to-have I am looking forward is having all the com.foo.* be able to opt-in (or be automatically assigned) to share credentials so users only have to enter data once.
Any advice would be appreciated.
The bundle identifier is the only item in a bundle that uniquely identifies the application and it's likely that problems may occur if it is not unique.
Also, your applications will not be allowed to go in the App Store without unique bundle identifiers as mentioned here.
I am new to iPhone app development and have a question about storing data. I've spent quite sometime learning about core data but still confused about the concept of persistence store.
What I understand is that core data is just a way of managing the data you downloaded from an external database. But given that core data is backed by SQLite, does that mean there exists a SQLite db in-memory while running? If so, does that mean when I use core data it will be more effective if I download a huge data set at start? But what about apps such as twitter or Facebook that require constant update of data, is a straight $NSURLConnection$ sufficient in these cases? If core data is used, will the extra overheads (i.e. data objects) be of any burden for such frequent request of update?
I would also like to find out some common ways of setting up an online database for iPhone app? Is it usually MySQL servers with a homemade Python wrapper that translates the data into JSON? Any standard server provider would provide the whole package? Or open source code?
Many many thanks!
I'm going to go through and try to address each of your questions, let me know if I missed one!
Firstly, Core Data can be used to store information generated in your app as well, there is nothing keeping you from using it in one way or another.
The way I understand it working is that the file, or other storage mechanism Core Data uses, exists regardless of whether or not your app is running. For a user to have to wait for a large database to be downloaded and loaded into a local database without being able to interact with your application is not the best way to do it in my opinion, people react negatively unresponsive UI. When a user may run your app for the first time, its possible you may need to get a larger set of data, but if any of it is generic and can be preloaded that is ideal, the rest should be downloaded as the user attempts to access it.
Facebook and Twitter applications work just as you understand in that a connection is established and the information is pulled from the appropriate site, the only thing they store is profile information, as far as I know. I would hesitate to use Core Data to store peoples information as eventually yes, there would be a significant amount of overhead caused by having to store peoples news feed or messages going back months on end.
As for setting up on online database that is something I'm unfamiliar with, so hopefully someone else can provide some insight on that, or if I find something I think may be of use, I will post back here for you. This part may actually merit its own separate question.
Let me know if you need to me elaborate on anything!
I would like to know, how much amount of data can be stored inside the iOS key-chain?
When refer online, i can see the urls which talks about storing username and password. not storing the db inside.
Please let me know, can we store db inside the keychain?
how to store the db more securely.
Help me up
No, it's not intended as a general-purpose secure datastore.
From the iOS App Programming Guide (emphasis mine):
Keychain Data
A keychain is a secure, encrypted container for passwords and other secrets. The keychain is intended for storing small amounts of sensitive data that are specific to your app. It is not intended as a general-purpose mechanism for encrypting and storing data.
What you probably could do is store the data in more conventional places, and secure the decryption key in the keychain.
I'm writing an iPhone app that integrates with third party APIs. These APIs use OAuth (key/secret specific to my app not per user) in order to authenticate which app the request is being made in behalf of.
Is it secure (or how secure) is it to simply put the key/secret in code? Can this sort of data be reverse-engineered? Is there a better way to go about including this data in a project?
There is no place on the iPhone to hide data. A user with a jailbroken iPhone has more control over the device than any developer. If possible you should setup a web service such as a REST or SOAP service to take care of these OAuth transactions on behalf of the client.
As Rook said earlier, there is no way to hide your data in iPhone. But you can make hacker job so difficult. I just done a work around for the same issue.
Put oAuth key information in PLIST
Mannually I encrypt this PLIST by using AES key and I got encrypted "CIPHER TEXT"
Modify the AES key by appending characters in between with your own logic. Since it required at runtime to decrypt the plist
Add this modified key with plist "CIPHER TEXT" and store this value in New plist.
Remove old plist which has oAuth information
Now you have only one plist which has encrypted value with modified KEY
Advantage:
Hacking is so difficult since hacker don't have a proper cipher text in plist
To hack this code they should know to separate Modified AES key from Cipher text.
Thou they found Modified AES key, they don't have any clue about the appending algorithm, here i simple used EVEN position of the character, but you can't modify this and you can take 3rd or 4th position of the character. Which is actually will differ for each developer
for more information please visit below link;
https://sites.google.com/site/greateindiaclub/mobil-apps/ios/securelystoringoauthkeysiniosapplication
I'd suggest looking into the Keychain services provided by Apple
http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html
I would like to encrypt a string with AES 256 on the iPhone but have not found much via google. What I am trying to do is post some data to a web site as part of a game I am creating, but I do not want the user to be able to cheat by seeing how it is posted because it is plain text. So I want to post one encrypted string to my php page (ala www.test.com/test.php?encrypted= etc...) and then the php script will decrypt it and do what it needs to if it is valid.
You can just use the CryptoHelper which is adopted by CyrptoExercise Sample Project
A much easier approach here would be to use an HTTPS POST, which would give you similar protections with far less code, though there are still difficulties for solving the problem you're attacking. The kind of solution you're describing generally requires some kind of shared secret, and it's very hard to protect code using a shared secret for long. You may find these posts helpful:
Machine ID for Mac
Store an encryption key in Keychain while application installation process
Obfuscating Cocoa
Still, HTTPS is probably a much better solution than AES here.
Check out this site: http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html