I'm building a web application and would like to access data that is stored on the iCloud. Not just app data, but data like contacts, messages, etc.
There's very little information on the Internet about retrieving this data and so far I have been unsuccessful. Is there anyway I can access iCloud using an API call and download an entire backup and then sort through the data?
I appreciate any help.
Related
In my app users can read and write data on Firestore.
In the Firestore Database there Is also a "Credit" document for each user where the balance of coins Is stored.
How can I be sure that no One could modify an APK of the app in order to change the balance?
In the app there are some functions that remove some coins from the balance, my fear Is that someone could change the code and add coins instead.
assuming that your app implements firebase authentication to authenticate operations on firestore it's safe to say that your app is compiled with a key and it has an hash.. it's not possible to someone to decompile the app, change the code and recompile it with your key.. so the new "hacked" app will have a different key and hash and firebase authentication will not work and your db will be safe
I think you need to secure the data itself. In your scenario I don't think you can have code in the app that simply writes a value to the balance. You need to create a separate API or firebase function to secure what you are trying to do.
If you want to ensure that only your application code can call Firestore, consider enabling Firebase App Check.
Just keep in mind that:
Using App Check does not guarantee the elimination of all abuse
So you'll want to combine it with other security measures, for example through the server-side security rules that Firebase also offers for Firestore.
Also see:
Locking down Firebase DB access to specific apps
How to allow only my app to access firebase without a login?
Using the firebase platform..
I would like to save some custom information about a user once they register.. and just for examples sake, lets say his/her favorite color.
So far when I register a user this is the only meta data I get
What options are at my disposal to get this done?
You have two options:
1 - Use Custom Claims
You can save additional data to the access token of the user. You can read that data directly from the user in the frontend and also in all database rules. I would recommend to use this for basic auth data like isAdmin or isRole if there are not much data to save. The reason for that is that it's quite limited in the amount of data you can save. Because it's saved in the token it has to be small so you should not save to much in it. You can find more about it here. You should edit this fields by a firebae cloud function using the admin sdk.
2 - Use one of the databases
I see it very often and it's quite common in Firebase to store such additional user data into one of the Firebase databases. You can make those 1000% securely by allowing only the user to write and read then or only to read depending on your needs. If you want to save more than just simple data I would recommend this. One reason more is if any other user like admin needs that data from another user you would not be able to get it by using the first option. It is also much easier to do it when the user needs to save data for himself and by himself. With the first version you would always need to involve cloud functions.
I very often use combination of both where I save such data like isAdmin to the custom claims but all other like nickname or some settings like language to a database. With the database I can also make it very easy to search through all users when you are an admin.
I am currently using Cloud Firestore for my iOS app, which allows users to store their expenses to the database, but in order to secure privacy, is there any way I can make sure that I can't read the data that they are inputing into the database. While the queries and all still work, I or any admin isn't able to see what users have put into their database?
No such feature exists. Admin access through the console and the Admin SDK is able to read all collections and documents all the time.
As #Frank van Puffelen suggested:
Obfuscating the data through encryption, will prevent any unwanted eyes from viewing any information. This will add to your workload since you will need to perform the encryption and decryption at either end of the app (client and server).
I believe, you could take advantage of firebase's cloud code, to minimise the amount of code execution performed on the device, but I have never tried this, so am unable to confirm.
As far as an encryption key, you have a few options:
The user's password: This is one way of ensuring the encryption without revealing the key to any admin, since passwords in firebase are already obfuscated from any viewer. The only issue would be that a user would be locked into a password, as changing it would prevent decryption.
Store locally: You could store the key locally on the device, which would mean that the user could enter a key, or have one auto-generate, upon launching the app for the first time. You would then store this in the app's default key storage, and retrieve when required. Whilst, I believe this to be the safest, it means that your app could not be used across iCloud devices, since the key would be stored locally.
Finally, is CloudKit, which allows you to store data in the cloud. This is private, and only accessible to the user's cloud devices.
I realise that there is no code in this example, I am not currently at my desk, for which I am sorry for, if anyone else would like to edit with some code examples, I would be grateful.
I hope this helps.
How to secure that all data related to a customer will be deleted from CloudKit when the user removes the app from his iPhone?
I got an app that saves data to a public CloudKit DB with a reference to a userID. But I don't know how to manage the data when someone deletes the app.
But I am sure there must be a possibility to manage dead data.
You will not be able to detect when a user has removed his app. What you can do is that you update a timestamp in your user record for when the app was used last. Then you could create a procedure that queries all users that have not used the app for more than ... (6 months?) And then delete all related data.
You probably don't want that procedure inside your app. You could create an admin app that connects to the same container. You will be able to access the same production container if you do an ad-hoc distribution to yourself. Or you could use the web api to do this.
I use the Dropbox Datastore in an app that uses both the iOS and JavaScript SDKs. Aside from the 10MB datastore limit, it works pretty well.
But nearly every support request I get makes me wish I could have access to the user's data for debugging. Being able to see exactly what the user sees helps me to find and fix bugs very quickly.
Is there any way for me to access a user's data without logging into their account? Can I maybe store their access token and gain access to just their Dropbox Datastore data?
This is one of the attractive things about Parse: you can see all user data. While there is a lot of wisdom in sharding user data across Dropbox user accounts, it makes app debugging crazy-hard.
Any ideas? What do you do to get around this?
Dropbox datastores, like files, are considered the user's private data, and as such there isn't a way for an arbitrary party to gain access to said data without some sort of authorization (e.g., access to the account, having the data explicitly shared with them, etc.) Likewise, even the developer of an API app that a user happens to be using doesn't automatically get access to the data.
That said, if, as the developer of the app, you want to troubleshoot using your user's data, the most straightforward method would probably be to get an access token for that app/user pair from the user. That would replicate their setup most accurately. (Unfortunately, the Sync/Datastore SDK doesn't make it easy to extract/insert arbitrary access tokens like that though. So, in that case, this would be a bit of work to build some flow to get an access token, e.g., a small web app, and then some work to read data directly from the API.)
Alternatively, you may want to make it possible for the user to share the datastore with your own account.
In any case, it's very important that the user not be misled or confused as to what is happening or what the developer is requesting. That means being clear with user with regards to what the developer is requesting and what will be done with the data. In addition, apps should provide privacy policies in general.