iPhone Data Storage - understanding what is and what is not secure - iphone

I am developing my first iPhone application and currently considering whether to deploy the app packaged with data, instead of calling upon a web service for the info. The obvious benefits are for those situations where you have a poor/non-existent connection and i could easily write something that could update the client data periodically from within the app.
What i am not sure about is how to store the data - sqlite, core data, plist or iphone file structure - Simply because i dont want someone unzipping the deployed application and getting their hands on the raw data.
Is this actually feasable? or is pretty much everything accessible once its deployed as an app?

You cannot stop somebody from accessing the data stored on the device, independently if you use sqlite, core data, plist or iphone file structure. At least not within reasonable means.
What you can do rather easily is to make the data useless for unauthorized access. In other words: encrypt it.
If what format you store the encrypted data then depends on the app needs.

This is pretty tough to do. The easiest way to do this would be by using the Xcode Organizer panel and then looking at the applications that you have installed. If it is one of your applications (matching your dev credentials) then Xcode will give you the option to download the application's sandboxed folders (docs, temp, etc).
From memory, you cannot do this to another application that doesn't belong to you. So in short you are safe to include data in your app. Honestly though, if someone wants to get to that data, they always will given enough time and resources (thats my opinion about all security).

Related

How to encrypt iPhone upload and download of info?

If I use SSL connection for my iphone app to query the database using web as the datasource, is it possible that the links and info that goes back and forth from the server to iphone will be encrypted in a way that nobody could see it. Additionally, i believe that the iPhone caches info, the web interface can cache data going to and from the device.
By another person i was told this:
SSL is only the transfer, what the app uses on the device is not encrypted just because what is transferred is. If the app uses no cache and you use SSL, you could be safe, the simple fact is that almost all apps cache data prior to transmitting it. Therefore, you would have unencrypted data on your device.
So what are my options if i want to build an app that uses the web as the datasource, stores nothing on the app, and uses no cache. I want all data coming from and to to be encrypted.
At some point, you're going to receive data from a server. That data needs to be put somewhere, like in a data buffer. There's absolutely no way around that. If you're using SSL then the transfer process will be encrypted. As your "other person" said, as long as you don't explicitly cache the data, then that's about as much as you can do to protect yourself on iOS.
I'm not sure exactly what you're expecting here, otherwise.
None. To do anything except transferring the data, you need to have it decrypted. If it is decrypted it will be in the RAM of your device. How secure that is depends on the application. In theory there are some operations that can be performed on encrypted data, but in practice this is only useful for a handful of applications (and it's a hard thing to develop).

how to synchronize coredata between devices?

i have an iphone app that uses coredata to store its contents. users often ask me if i could provide a way to sync data between their mobile devices (ipod/iphone/ipad). as of now, i have no idea on how to achieve this.
i found zsync, but this seems to depend on a osx version of the app (which i dont have). i also read about upcoming iclouds sync features, and it seems to be what i need - however i think its not possible to sync coredata contents, but text-based contents only (e.g. xml storage files). is this true?
another way i was thinking of was to abuse the eventkit api to sync via a user-provided calendar. since my app is mainly managing events, which can optionally be stored in a user-calendar (in addition to coredata storage), syncing through a calendar would seem good to me. however i think syncing might break, e.g. when the user chooses not to syncronize the whole calendar but only like 3 months in the devices settings/account settings.
anyone got an idea of how my approach should be like? any tips?
Syncing device to device (if that is what you are trying to achieve) can be quite tricky. You could implement your own discovery and data-transfer protocol and work something out that way, but it could be quite a bit of work.
Syncing device to server to device is a bit more straightforward, assuming that you already have a server with some form of registration/login system. Then you just need a way of communicating your current database state up to the server, and then back down again from the server to other devices. Again there is a fair bit of work involved in doing this, but at least the logic of working out which devices sync with which other devices and how they transfer data from one to the other is all implicit in the workings of the server.
As for iCloud, the programmatic content that you sync through it needs to be derived from UIDocument, so it will not help you with generic Core Data entities.
If you're looking for an out-of-the-box solution that will sync all of your Core Data content from one device to another with no custom code, then there really isn't one. The closest you can reasonably get would be to ship the entire .sqlite file that your app uses from one device to another, overwriting the target devices .sqlite file. That works fine if your sync only needs to be unidirectional, but obviously is not appropriate for other use-cases. Perhaps you could use this model with iCloud, if you can get it to sync your app's entire .sqlite file as an atomic entity.

Protecting the app sandbox

So I am working on a test app that downloads files locally to the app file storage sandbox. Some of these files may be sensitive and need to be protected. My app has a login mechanism, so you wouldn't be able to access the files if you didn't have a login, so my main concern is the ability to sniff the contents (Perhaps on a jailbroken device??).
Now I was wondering if the best method to protecting these files is to encrypt each one independently? Or perhaps there is a way to encrypt the whole sandbox? Or is it encrypted by default? Has anyone ever done anything like this before?
I apologize for the long string of questions, I am trying to gather as much info about this as possible before making a design decision...
Thanks!
You might want to look into the File Protection mechanisms in iOS 4 and later. That provides a way to mark a file as "protected" so it will be stored encrypted on disk at all times, only accessible when the device is unlocked (with a passcode).
See also this question
You can encrypt the whole sandbox using the OS if you target iPhone 4 with OS 4.x. Even then, iOS has this concept of an 'escrow keychain' which is basically a cache of passwords and can he potentially hacked into. As far as I am aware, Mail is the only app that encrypts everything.
In order to encrypt your application data in this way, you just need to set the appropriate NSFileProtectionKey as documented in NSFileManager. But, as mentioned, this is not entirely secure.
You could try a custom category on the file manager that encrypts files based on your own requirement so that you have encrypted documents. The choice is yours.

Iphone backup for my application

I have an iphone app with tons of coredata data. I am trying to implement a full backup method where i can get all of the data from the app and throw it to a webserver. I prefer to use json data for this format. Is there an easy way to dump all of the application data out of the system? or a method for backing up the data structures directly from in an app?
You could just upload the persistent store file itself. That would grab everything.
We ended up building something cool for this by grabbing the sqlite file and a web service. Everything seems to be good as long as connection is not broken. Let me know any questions on this in the future

How can I migrate my user-generated data to the computer?

I have a query regarding BackUp of third party application data on PC.
I am developing an application which can store photos, text, recordings.
The user can add number of photos or recordings.
So at the runtime, size of application storage will go on increasing.
User will never want to loose his data but storage is limited.
Hence taking backup of data on his computer and then deleting from iPhone seems essential.
So what is the standard way of taking backup of third party application data?
Is there any way by which we can save the data on MAC as well as Windows using iTunes?
Is there any limit on amount of storage a third party application can take?
iTunes will perform a complete backup of the iPhone when it is plugged in for sync, which will contain all the application-specific data files. However, the only way to restore this is to restore the entire system image, so that is only an emergency backup, not what you need.
Third parties have typically provided their own backup and synchronisation strategies. There are two broad approaches:
in conjunction with a companion desktop version of the same application (eg. OmniFocus, Things, Four Track)
using a web service (eg. Darkslide for Flickr)
The web services are typically accessed via an AJAX API (or equivalent), but will obviously take longer for backups of large files. The desktop sync products provide their own (eg. OmniFocus uses a WebDAV server) and use an internal sync engine to keep things up to date, and can sync using the WiFi connection.
So either way, you are most likely going to have to write your own server to handle your own backups, and deal appropriately with the file types and metadata. I don't know of a third-party solution to this, but if one exists, it would be very generic, and may not suit your particular needs (eg. for file formats, etc).
So what is the standard way of taking backup of third party application data?
Write your own sync server and connect via WiFi. Start by looking at WebDAV, as you can build something on top fairly easily.
Is there any way by which we can save the data on MAC as well as Windows using iTunes?
iTunes will only do a full system backup. Your best bet is to write your sync server to be portable.
Is there any limit on amount of storage a third party application can take?
AFAIK there is no per-application storage limit on the iPhone. If you provide your own solution, you could do something like archive anything older than 30 days onto the Mac/PC, so you are only keeping recent files. Then allow them to choose "favourites" and those will be kept on the iPhone regardless of age.
You can use iTunes to back up your iPhone. During the process of transferring the iPhone data, you will be asked to back up apps. But if your apps are not from iTunes library, you may not install them when you restore them on devices.