Forgive my ignorance in this issue as I am a noob.
If I ship an iPhone application that connects with a web server in a mySQL database, and the database has sensitive information, can someone read the objective-C code of my app and find my database information?
More simply, is there a way for someone to look at my code in a shipping app?
Kurt
Reverse engineering of iPhone apps is absolutely possible.
A more likely attack however would be using a network packet sniffer to analyze the communications between your app and the server. Unless you're using encryption, it's extremely easy to do this. Even with encryption I suppose this is not much of a challenge for an attacker with strong motivation, though.
Yes, an iPhone/iPad app will be stored by iTunes as a file with a .ipa extension, and the contents of this file can be examined.
People can't see the original source code, but the object code and data will all be visible, so reverse-engineering is definitely possible.
For more details, see http://dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone-appstore-binaries
Related
I've been researching for ages and still cannot find an easy solution that perfectly. So i stopped and figured i was going about this project the wrong way. All i need is an easy solution.
My project requires me to make a website that has forms (fields include images, text, urls, colors). When the user submits this form, somehow (THIS IS THE KEY QUESTION), gets sent to Xcode so that it can be used in and iPhone app.
My questions: What is an easy to use program to make a website that can do what i said? How does my website connect to Xcode (supply it with the data)? Is it possible for my app to check for newly submitted info?
Keep in mind that i don't have much coding knowledge as far as websites and i only a little about making iPhone apps (Yes, i have made some but not as advanced as this)
Thank you in advance!
It sounds like you want to build an IOS app that can retrieve user submitted data from the server.
Your form will have to post the data to the server where it is stored in your database. Images will have to be uploaded to the server as well.
You can then build a server-side api that returns data to the IOS device upon request. You can have your IOS app regularly request data from the server, receive the response and store what you need on the device.
There is a lot more to it of course, but from what I can gather from your post, this is what you're looking to do.
The workflow you describe doesn't make any sense.
It starts out easily enough: you have a website that has a form with a submit button. No problem there. Hitting submit likely does a POST to a server somewhere. Again, no problem.
Then you say the form data has to ultimately end up in Xcode. This is where things are really muddled. Xcode is a programming IDE for Mac OS X. I'm not sure how or what it has to do with handling data from a Web form. The two things are, for all intents and purposes, completely independent technologies.
Please describe in much more detail exactly why you think you need to "send data to Xcode". Otherwise, your question, as written, is unanswerable.
In an iPhone iOS4 app containing an existing SQLite database (i.e. there at compile time), how secure is the data in the SQLite database?
For example, is it worth encrypting an SQLite database (using the sqlite3_key(...) method sold under license)?
It is secured until the iPhone is jailbreaked. After jailbreak one can go to your database and can copy it to his desktop and then can see your data. So I think if you have very important data then you should encrypt your database
First question you have to answer is how valuable is your data? That somewhat determines how much time a hacker is willing to spend trying to get at it. Security is a complex subject and you could spend days researching IOS security. It depends heavily on the IOS version, with IOS 4 being the first release that has a decent chance of being really secure. First off nothing is secure unless your device is locked. Also, your database is NOT encrypted even if the device is locked unless you set data protection flags in your code. Sandbox doesn't help you here at all really, except to protect one apps data from another. A hacker with your device will jailbreak it and install an SSH server and at that point can pretty much do whatever they want, including brute-force passcode breaking attempts. If an IOS 4 device was locked with a decent passcode and you set data protection on your database, you are probably ok with counting on the IOS hardware encryption. But can you depend on users to set a decent passcode? The default simple passcode is only 4 digits - not that great. And will they all be IOS 4+ users? If not, you'll need your own encryption on the database. Just don't store the key anywhere, cuz hackers will find it. And while you are considering security in your coding, consider that hackers can also decompile and run a modified version of your app.
AFAIK data are physically encrypted on iOS 4.x devices. Add to that the fact that application are sandboxed, it's a fairly secure system.
Just for the trial purpose i want to make an app for my iphone/iPad which can use a sqlite database locally or on a server. So how should i do this??? How should i get and post the data back and forth. I know its a lot to ask in a single question but if there is any link or tutorial you can provide me with, that would be great.
Thanks,
There are pretty good tutorials available to learn about sqlite & iphone programming,
I suggest these...
http://www.icodeblog.com/2008/08/19/iphone-programming-tutorial-creating-a-todo-list-using-sqlite-part-1/
http://www.mobileorchard.com/iphone-sqlite-tutorials-and-libraries/
Hey everyone. I have a fair amount of experience developing iOS apps, but nothing much with web/server interacting apps. For a project at work, I am making an app that will let you login, and get pictures off from a server that will then be downloaded for display and review on the local device.
I need to get some pointers on the correct approach to take. Are there built-in classes that make doing something like this easy? Once the cogent is downloaded from the server, it will be viewed locally, so all I need is to get a point in the right direction for logging in and communicating with a server…from an iPhone.
Can anybody point me in the right direction?
Me, I'm using ASIHTTPRequest Librayry to communicate / download with Internet.
For example, for an news app I download latest news in JSON (with a PHP script on a web server) and store datas with SQLite. If you need a little explanation of JSON with iPhone, check here (in french, but source codes are in english ^^)
When I need to download an image, I use ASIHTTPRequest and a queue to avoid downloading to much files at the same time.
If you want more information about a step, just say it.
Good Luck !
NURLConnection is your friend, along with its delegate methods.
Don't be lured by the temptation to use the -sendSynchronous method (which, now that I think about it, if you require authentication, you probably can't use anyway).
I have a iPhone app which needs to have a self destruct option. This app is going to be use on sensitive locations and holds some algorithms which are not to be known by anybody except the iPod Holder.
What would be the most "complete" way of deleting the app?
I was thinking of some how writing zeros to the nib file. or the actual application.app but I believe this folders are write protected and sandboxed.
Anybody have any ideas of better ways to achieve this?
Elaboration (Taken from original poster's comments):
This is for a jailbroken iPhone.
These devices are going to be provided to military personnel this device falling into enemy hands would be the least of my concerns. It's going to have a button so wipe the app once the app is written to zero or better yet corrupted with garbage all over the "exe" the app has no way of working and it would require inspection of the iPod flash chip with equipment that i 100% know the wrong people wont have
If you are openly storing the code that contains this algorithm within your application, there's nothing stopping the "wrong people" from jailbreaking the device and copying the complete file structure of the device before you run your "wipe" process.
Additionally, if you are dealing with a U.S. Government customer, I doubt that they will approve of the purchase of a jailbroken device, given that the vendor of such a device has claimed that jailbreaking is illegal. Whether or not this will hold up in court, the government tends to be conservative in these matters and err on the side of caution. Because Apple is a large U.S. company and a vendor to the government, I wouldn't expect the government procurers to take the jailbreakers' side in this.
My recommendation would be to encrypt the particular algorithms within a file in your application's bundle, and require the user of this application to decrypt this file into memory with the correct (difficult) password. That way, even if the "bad guys" were to gain access to the application, they wouldn't have everything they need to access these algorithms and would have to brute-force the password on the encrypted portion. This could be done on a standard, non-jailbroken device.
The U.S. Army is rolling out iPods in the field, with custom applications on them, so I'm sure that you're not the first person facing this challenge. If this work is being funded through a Department of Defense SBIR grant (or similar), you may even be able to contact your contracting officer and see if they can put you in touch with people at the appropriate agency who may be able to help you out with this (or even determine if it an issue to begin with).
I'm going to go out on a limb here and say you may not want to use the iphone for this type of app. There are intentional limitations to this exact type of action on the iphone and in springboard. If you are doing something so sensitive that it can't fall into unauthorized hands my recommendation would be to use a different and more customizable/controllable platform.
Unless you're working from a jailbroken device, you're probably going to run into problems here.
Even if you can find a way to automatically delete the app, you're still running the risk of those algorithms getting into the wrong hands - you would essentially be running into the same problems that Apple has with jailbreaking - once the device is in someone else's hands, it only takes the proper amount of motivation for the data to be accessed.
The only way to secure your algorithms is to pass the data to a remote server and get the results. There's still a possibility of a security breach, but it's much, much lower.
I don't know how well this would work, but you could store the algorithm as a file inside the application bundle, run the algorithm from that file possibly using a scripting language or something, and delete that file if you need to.
The folders are sandboxed, but your application is in there. On my jailbroken iPhone I see that all the permissions are owned by mobile so I don't see any reason why you can't just overwrite all the files with zeroes and then delete them.
The application bundle is effectively read-only, perhaps you should store some of the information in an encrypted form somewhere on a network.
Even if you find a way to write over the app in the flash memory, you really aren't erasing the app. Flash memory chips use wear leveling algorithms to reduce writes to the same blocks and so when you write out zeroes they are typically written to a new block of memory and not to the same block used before, so you really aren't erasing anything. The data can still be recovered from the flash chip (by a pro).
Another option is to separate out the parameters of the algorithm so that the algorithm is no longer sensitive (or at least not usable) and provide the parameters encrypted in a file. Then provide the key to authorized users via the network and don't store that key into flash, only RAM. They would need to get the key every time they start the app. Only give the key to authorized users. Of course, you'll also need to encrypt that key for transmission over the network with another key... There are systems for doing this, don't invent your own, in any case you'll need a crypto expert to do this right.
I would use the built in encryption to store the data, with a key the user has to enter to decrypt it. Without the key it doesn't matter if the data blob is recovered from the device.