I plan to develop an app for iOS and want to use HTML5, CSS and Javascript. The final app should be implemented as a native app using Xcode and UIWebView.
Can I hide or protect my html files in the final app? I have to put the files in the folder called "Supporting Files" in Xcode. Therefore, everyone can view the plain files after purchasing the app by extracting the .ipa file, right?
There's many ways to protect your data, depending on how good you want the protection to be. For very minimal protection against only casual hackers, you could use a string obfuscation algorithm to obfuscate and de-obfuscate the HTML content as NSStrings. Here's an example of doing that. I haven't used that particular code, but I'm also not really recommending obfuscation as a technique, unless the data really isn't very sensitive.
The better solution is to encrypt the HTML content, although that's more work, and may involve some export control issues, depending on where you are, and where you're distributing your app.
For encryption, you have lots of options.
1) Here is an open source implementation that provides a secure version of something like NSUserDefaults. I don't see an equivalent to registerDefaults: in that code, though, so it's possible that the first time your app runs, you may have to download the content from the web. But, then you could encrypt and store it in PDKeychainBindings as a string value. On subsequent runs, you could then extract stored HTML "files" like this:
NSString* webPageContent =
[[PDKeychainBindings sharedKeychainBindings] valueForKey: #"index.html"];
2) Here's another open source project that provides AES encryption wrappers. You would write some non-production code before releasing your app to encrypt the HTML content into encrypted data files that would be bundle resources. When your app runs, it opens the files and decrypts them into NSString objects which can be given to your UIWebView via loadHTMLString: baseURL:.
3) Finally, here's another example of using the underlying CommonCrypto APIs to protect bundle resources. This example uses a custom build step to automatically encrypt resources in a particular folder, which would save you some time if your protected HTML content is going to change reasonably often.
You can encrypt the files and decrypt them at runtime or you can not include them in your bundle and have a compile time script that reads them and converts them into encoded data in your app that you can just load into your UIWebView with:
- (void)loadData:(NSData *)data MIMEType:(NSString *)MIMEType textEncodingName:(NSString *)encodingName baseURL:(NSURL *)baseURL
You could create all your HTML and so on also within your code and then use UIWebView's
- (void)loadHTMLString:(NSString *)string baseURL:(NSURL *)baseURL
to manually load every HTML string as plain text. I advice you, however, not to do so. If somebody really wants to isolate every string from your compiled source code, this is possible for him (unless you really do demanding stuff).
Most of the users simply don't care about what's inside the ipa file. If you can live with < 1% who inspects it, don't worry too much about this topic.
Another aspect would be possible as well (even if this is not a fantastic idea): You could point your UIWebView to a secret website only you and your app know. This is absolutely not advisable.
Related
I have an iOS application, which stores all downloaded *.pdf files in its cache. Is there a way to prevent this data from extracting? Encryption or something else? Thanks in advance.
There are quite a few ways to encrypt files, and I'm sure everyone will have an opinion on the best way to do so.
In a project I've recently been working on, we've been using CommonCrypto (https://github.com/AlanQuatermain/aqtoolkit). Just take any NSData, encrypt it, and save it to a file, and vice versa. You can even write an easy Transformer by subclassing NSValueTransformer, which abstracts all of the encryption to one spot and you will never have to worry about it again.
You can protect PDF files with a password. I assume you create the PDF files not within the application but externally. For example you can use Preview.app in Mac OS X to secure existing PDF files with a password (Hit Cmd-P, then select PDF in the print menu and there you can set security options. Or even more simple: in the menu choose Export...).
In iOS you can then open the PDF files like this:
CGPDFDocumentRef documentRef = CGPDFDocumentCreateWithURL((__bridge CFURLRef)[NSURL fileURLWithPath:filePath]);
if (!CGPDFDocumentIsUnlocked(documentRef))
CGPDFDocumentUnlockWithPassword(documentRef, password);
...
There are actually 2 Documents folders in which your app can store content. One can be extracted, and one is private. Check the accepted answer in this ticket.
Access files in "private Documents" folder transferred with iTunes
Assuming you want the PDF files from getting extracted on jailbroken devices, the most straight forward approach would be along the following lines:
generate a random string during the first launch of the app
save the random string either in NSUserDefaults in state file inside your own app's sandbox
using this random string create a secret key using a deterministic but hard to figure out algorithm
use this secret key, which you don't store anywhere but always generate on demand, symmetrically encrypt your buffer with AES or something similar
You would probably find the source code here very helpful.
There is a very cool iPhone app called Viddy where you can download filters to apply to videos.
How can they pack filters outside the app, and make them available to users via downloading?
One way would be to have an in-app purchase that's just a document that describes an image processing graph. (Think of a nodal graph representation for something like Shake or Nuke.) For example, a glow is often implemented as a blurred image mixed with the original image. You could create a document which describes that processing graph. Once you've downloaded such a document into your app, you can implement it using Core Image filters, or write your own using GLSL, or even just straight CPU processing.
It's pretty simple, they do use shaders and they're downloaded from the internet.
Download iExplorer for Mac, connect your iPhone with Viddy installed.
Check Library/effects folder in Viddy.app. You'll find afx_1_0.xml and vfx_1_0.xml files there.
Download them to your Mac, open them and you'll find filters definitions there along with URL to download them.
An example is SOHO filter. Download this file, open it and you'll see three files there: shader.fx3 where shader is defined, thumb.png for thumbnail and vignette.png file, which is used for this shader as well.
We did use same approach in unnamed application, but we did encrypt all this information along with shaders itself to avoid analysis like this one :)
Encryption, decryption example request in comment
Let's say you have .fx file with your shader (or any other file).
Open Xcode and go to Build Rules where you can define build rule for *.fx files. Set it to run your Custom script: which can look like this one:
ENC_KEY="your-encryption-key"
${PROJECT_DIR}/../Tools/bin/crypt -e -k $ENC_KEY -i ${INPUT_FILE_PATH} \
-o "${BUILT_PRODUCTS_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/${INPUT_FILE_BASE}.cfx"
This script produces .cfx file, which has same content as .fx file, but is encrypted.
crypt binary came from this project: download crypt Xcode project.
Download encrypted resource demo.
Copy EncryptedFileURLProtocol.* and NSURL+EncryptedFileURLProtocol.* files into your project.
In app delegate call this to register your protocol [NSURLProtocol registerClass:[EncryptedFileURLProtocol class]];
And now when you do want to open encrypted resource, you have to use protocol encrypted-file instead of file://. This task handles NSURL category from demo project and you can simply use [NSURL encryptedFileURLWithPath:#"/path/to/my/encrypted/file"].
It's pretty simple and you'll find most info you need in sample app (link above). Also you can mangle your encryption / decryption key in application, so, people have to think and the key is not easily readable. Now, when you access encrypted file via this NSURL, it's automatically decrypted for you in app. The decryption key is set in sharedKey in EncryptedFileURLProtocol.m file.
The easiest way to do this is to build the filters into the app itself, and have the in-app purchase simply unlock the ability to use them.
If you wanted to avoid the download time for all the additional images or other pieces needed, you could still include the code in the main app, and just download the extra resources needed. You can use something like Urban Airship's IAP support to host & download the IAP resources. (You might also want to look into new features of iOS 6 in this vein.)
GLSL shaders may be downloaded in source code form and then to be used for processing. It gives very flexible way to create new filters after having app published. From another hand it might be enough just to update (download) additional filter data. For example, Instagram uses same color curve technique for most filters but with different curve data, so it they want, they will be able to update their filters online.
Filter for videos also uses CIImage class like intagram application for images. See the link here:"http://www.icapps.be/face-detection-with-core-image-on-live-video/". Now filters can be download the filter (actually its In App Purchase happening).
Put the purchase/download method right beneath the case:
case SKPaymentTransactionStatePurchased:
[self ...];
so whats happening is purchase of filter for free which can be used on any video. Actually method is enabled to have filter after SKPaymentTransactionStatePurchased.
I would like to save a .html webpage with AFNetworking, but would also like to save the resources (such as .css files, .js files, images etc) within the webpage so that the whole webpage can be viewed offline.
Is this possible with AFNetworking, and how would I do it? Could a short example be posted please?
Thanks!
AFNetworking is not necessary to do this. Instead, what you want to do is use an NSURLCache subclass that supports disk cacheing (such as Peter Steinberger's fork of SDURLCache). With that in place, just load up a URL using a UIWebView (this may not necessarily have to be displayed to a user), and subsequent loads should use that local cache.
At the very least, do not waste your time trying to write something on your own to download assets on a webpage. This process requires a web browser (which UIWebView qualifies as) to determine everything needed to load.
I need to define a processing rule for web data in iOS and thought it would be a good idea to pull the processing rule as a script file from my server and execute it on the iOS device, since the web API I'm interacting with might change URLs or response syntax and I need to be able to fix such issues fast and cannot rely on pushing an update (takes forever).
I wanted to do it with a small JS file that is pulled from my server every once and a while, but unfortunately iOS doesn't include the JavaScriptCore framework.
Are there other options?
Apple developer agreement will not let you run a downloaded, interpreted script, on the device.
Your best bet is probably downloading a data structure (potentially in JSON format) and parse that and take some predefined actions in your client code based on that, rather than trying to execute the downloaded code directly.
You can let a UIWebView run a Javascript snippet, or you could use another scripting language like LUA (don't forget to add LUA for this). The real problem is: You are not allowed to download code from a webserver or somewhere else. Everything must either be already on the device, or calculated at runtime.
Depending on the information that you want, you could use an XML file that includes the new URLs and parse it, but I don't know if this fits your need.
You can compile JavaScriptCore into your app, evidently, and have it approved by Apple. However, as Mehrdad notes, any scripts run in the app must already be in the app at the time the app is reviewed.
Recently i've asked about the security implications of storing sensitive info in the xml string resources in Android: the answer? Heavy security implications, is really easy to get the contents of every xml file with a simple command line tool, so it is almost mandatory to have important info encrypted.
Now, how is it like in iOS? How secure it is to have a certain data in a plist or a .strings localizable file, in plain text, non encrypted?
Still not very secure.
There is nothing stopping a user from unzipping an application stored on their computer in iTunes and viewing the contents. Its very easy to do, even without a jail broken phone. Any strings resources, plist files etc will be immediately accessible.
Even hard coded string literals are visible in the compiled binary when one views it with the strings utility. And going a set further, using the nm utility one can see all your applications symbols, such as method names, constants, etc.
I would recommend against storing anything that could be considered sensitive in plain text.
You can access any file on a jailbroken iPhone, so you'll need to encrypt sensitive data.
If your app ships with a .plist file, then the end user can unzip the .ipa app file and see the .plist file and do whatever they want with it.
The exact same problems, a plist is a very common file for Mac OSX and iOS and it is just a XML file. Secure your sensitive data on ALL platforms!
I would like to add that apple does provide a way to securely store sensitive information in the Keychain.