Is there a way to decompile the binary from an IPhone app.
I jailbroke my IPhone and was surprised to find other app's dbs wide open to be copied.
So I exported my most important table and hardcoded it into code.
Instead of loading table into array from a db I just generated code to fill the array and kept only the most basic DB info so relationships still work.
Took a while but now works fine.
I was just wondering am I safe, could someone decompile the binary for the app easily and extract the data. In Java its easy to decompile *.class files though thats bytecode where I presume iphone apps are more low level.
I know IPhone sdk 4 can mark files as secure. Anyone know can this be overridden by jailbreaks or is this an unix lock?
Short of encrypting that data, you are really only protected by peoples lack of motivation. If someone with enough motivation wants to look at the data, they can. Even if you encrypt the data, if they key is in, or generated by, your code they can find that too.
To be honest Apple couldn't secure a brick. The iPhone has been almost continuously jail-breakable seance the beginning. Users (read hackers:) have more control over the device than developers. There is no way that you can truly secure content on the device. If encryption is used, there is nothing keeping the attacker from obtaining the key. (He has control over all libraries and can hook any function call he wants.)
It is common to see developers fall back on Security Though Obscurity, and I'm not going to entertain these ideas. If there is data on the device, a hacker can and will make a copy of it.
I jailbroke my IPhone and was
surprised to find other app's dbs wide
open to be copied.
No. There is nothing wrong with this. It has to be stored somewhere.
So I exported my most important table
and hardcoded it into code.
Bad move.
A jailbreak from a priviledge domain is a vulnerability in the phone and is not your problem. There is nothing you can do about that, and even encrypting your data will not save you because all privileged code on the phone will be able to access the encryption keys.
In other words:
Code will not normally be hostile and steal your goods. The only reason it would is because the user downloaded bad code onto the phone or a remote exploit took place.
Related
I'm interested in playing around with the word list used in the popular iPhone game "Draw Something".
I don't know how iPhone apps are developed, compiled, or deployed, but I'm wondering if, once the app is installed on my iPhone, the word list is kept in a file I can access/read/modify?
I'm sure this varies from app to app - some apps might keep resources like this on a server, and in other apps, the data might be compiled. But perhaps some apps read data like this from something like XML- or CSV-formatted text files that are stored on the phone, and potentially accessible? (Or, backed up to your PC or Mac?)
If so - are those files accessible? If so, where/how?
I'm not an iOS developer, and I'm not interested in copying, stealing, or plagarizing anything from an existing app.
Specifically - I am interested in creating an information visualization based on the word list from "Draw Something." How many words are there? Which words are "easy", which are "hard"? Is it harder to draw a verb, a noun, or an adjective? I thought this might be a fun, (potentially) interesting thing to analyze.
That got me thinking... "I wonder how apps are stored on my phone?" (Or, backed up to my PC/Mac). Are they a single compiled executable? A handful of dlls? Is app data stored in simple text files, a database, or something else? Are these files accessible? Etc.
Many thanks in advance!
You probably got down voted (and may yet get removed) because this isn't really a programming question, and those are what SO is for. Power-user questions fit better elsewhere in the Stack Exchange network.
In the meantime, if it turns out this word list is stored in an easily readable file in the app's bundle... Apps are stored on the Mac/PC you sync your device to, somewhere under the iTunes Music folder. Each is a ".ipa" file, which is really just a zip archive. Change the file extension and you can unzip it to see what's inside.
Apps get file system access through the sdk. There is also a object-relational framework called Core Data that lets an app create and access a SQLite store. Apps can also maintain a small amount of state (usually user prefs) in a shared user defaults store.
In one word: No.
I'm 99% sure you can't lift the word list from "Draw Something". It's boxed with the app bundle, and not readily readable as a file.
I've tried to google this for a couple of days and I am still pretty confused, so I thought I would try here.
I have an iPhone app that uses Core Data with an sqlite database. I am trying to implement a simple backup/restore of the database with Dropbox.
I downloaded the Dropbox SDK, and I have everything running fine as far as linking, uploading and downloading my .sqlite file.
However, I don't want users to have access to the actual .sqlite file for security purposes. I have been seeing JSON on these boards for some time now so I decided to look into it. I think it is exactly what I need.
Easier said than done. I have never worked with Java and have never implemented anything like JSON before, so I have had to try to figure out where to start.
I understand basically what is going on, but I'm having a heck of a time figuring out how to do it. I think I found a way to get the Core Data model into JSON format (and I do use the term 'think' loosely here). But then what - what exactly do I upload to dropbox? Do I somehow combine the model (in JSON format) and the database? What gets uploaded to Dropbox? I'm sorry if this seems obvious to most, it really is not obvious to me, and I have looked.
I am willing to do the work, but it just seems like I could go in 90 directions without some basic guidance and a start. I am not trying to do anything fancy as far as determining data that has been changed, etc. - just want to backup/restore the whole database. I just need some basic explanation and to be pointed in the right direction. A simple core-data sample project would be tremendous.
I'm not an experienced programmer, but I am a fast learner. Just break it down easy...
Thanks in advance.
JPK
Thanks Andrew. I didn't want to 'give away' the database structure of my app, but i can now see that the json string wouldn't be much better than the sqlite file in that area. I am a teach-myself programmer (stay at home mom) so this is all pretty new to me. Maybe I want encryption? But is that allowed for iPhone apps anyway? I recall them asking about encryption when I have uploaded binaries.... I know that iCloud is coming out soon, and I do plan to implement that as well, but with the limited amount of data that can be synced for free, I want to be able to do a simple backup as well. Many of my users have asked for it - a backup in addition to that of iTunes, which really is not a great backup since you can't restore data for just one app (you would have to restore for all apps on the iDevice). Hmmm... Any suggestions as to how to upload the file in such a way that it is not easily readable? Is encryption the way to go in this situation?
JPK,
I think you're crossing multiple streams here.
JSON is a data transfer format. IOW, it has almost nothing to do with the architecture of what you are attempting. You will almost certainly use JSON to communicate with Dropbox.
I have a question: why do you think that the user won't have access to any data you send to Dropbox? I suspect that you are probably wrong. The user will have access to everything.
You are doing to an awful lot of work. You already have the .sqlite file being persisted on Dropbox. If you are doing this to make a backup, that data is being backed up in many other venues. In other words, your task is likely moot and unworthy of your time.
I use JSON, REST networks and Core Data daily. If you have a specific question, I am happy to answer it.
Andrew
Instead of saving the whole database, save out a plist file to Dropbox that you can rebuild a database from. That's assuming you have a lot of extra stuff in your database you do not want the user to see, otherwise just back up the DB as-is if it's all user generated data.
You could also encrypt it but why? Adding encryption only means you have to answer "yes" that you use encryption and may not be able to sell to specific companies, should you choose to encrypt - it's not forbidden.
Recently we developed and published a mobile banking app on the app store, for a big banking organization. The bank hired a security firm to perform ethical hacking over the app to see if it, in anyways compromises confidential data.
We recently received the hacking report from the firm, which in-spite of saying that no serious security issues are present, contains a list of all the class files, method names and the assembly code of the project.
Now the client insists that we fix these security loop holes and republish the app. However we don't have any idea how did they manage to get all these details from the application's IPA. I searched this over SO and found a particular post mentioning this link, which states that you can't save your app from being hacked.
Please help me how to fix these security vulnerabilities , or if not possible, how to convince the client.
Edit:
Recently came across this page. Seems like EnsureIT from Arxan can prevent app IPAs from reverse engineering. Anyone experienced with this?
There's always a risk involved. Even if you don't introduce vulnerabilities yourself, the platform may allow for exploits which in the end may offer an entry point for a malicious attacker.
As to your question: It is not safe to assume that a hardcoded URL, even if obfuscated beyond belief, can't be peeled out of your product. Always design your apps such that safety of user data is guaranteed (as far as possible) even if built in ressources get compromised. If the knowledge of that URL alone poses a security threat, then your whole approach and your clients API is inherently insecure. Remember that such information could possibly be captured by a man-in-the-middle attack (and other modes of attack) as well.
Avoid security by obscurity. Store sensitive data only on disk if it is necessary. As a rule don't allow PIN / TAN storage.
Some thoughts which may (or may not) convince your client that your app is as safe as it can be:
As long as the app runs on a non-jailbroken device, it is unlikely that an attacker, even with knowledge of your apps internals is able to get to any user data, because the iPhone normally doesn't offer opportunities to interfer with your app
If the attacker is able to get to your users data, and provided you have been protecting that data with all means available under iOS (-> keychain -> crypto chip ->...), then it's not your fault. It means the device is either jailbroken or there are vulnerabilities to the system itself which have been exploited, you just can't do anything about either possibility.
It is impossible to prevent reverse engineering of your app. Even if you had put more effort into obfuscation, an attacker with strong motivation would still be able to get what he wants. Your client needs to get used to this as it's a fact.
Other platforms suffer from similar vulnerabilities, yet on the iPhone at least you have a somewhat closed environment and a reduced risk of being attacked with trojans and the like.
The governments and security firms get hacked on a regular basis, although they should now how to protect themselves. This means life is inherently insecure, cope with it.
I was recently researching over this and I found this article helpful, especially the part quoted:
The code for a native app is stored in the form of a binary executable file, which is further encrypted; its decryption is performed only when the executable file is loaded by the processor into the random access memory and the whole decryption process happens at the hardware level. That is why it is very hard to create offline decryption tools. The only way to decrypt encrypted binary data is on a jailbroken device with a few special tools installed.
Security in iOS: Protecting .ipa File Content by Stoyan Stoyanov
I've searched the web for this bit to no avail - I Hope some one can point me in the right direction. I'm happy to look things up, but its knowing where to start.
I am creating an iPhone app which takes content updates from a webserver and will also push feedback there. Whilst the content is obviously available via the app, I don't want the source address to be discovered and published my some unhelpful person so that it all becomes freely available.
I'm therefore looking at placing it in a mySQL database and possibly writing some PHP routines to provide access to my http(s) requests. That's all pretty new to me but I can probably do it. However, I'm not sure where to start with the security question. Something simple and straightforward would be great. Also, any guidance on whether to stick with the XML parser I currently have or to switch to JSON would be much appreciated.
The content consists of straightforward data but also html and images.
Doing exactly what you want (prevent users from 'unauthorized' apps to get access to this data') is rather difficult because at the end of the day, any access codes and/or URLs will be stored in your app for someone to dig up and exploit.
If you can, consider authenticating against the USER not the App. So that even if there is a 3rd party app created that can access this data from where ever you store it, you can still disable it on a per-user basis.
Like everything in the field of Information Security, you have to consider the cost-benefit. You need to weigh-up the value of your data vs. the cost of your security both in terms of actual development cost and the cost of protecting it as well as the cost of inconveniencing users to the point that you can't sell your data at all.
Good luck!
I have several plist files in my app, that I want to be non human readable, or editable.
The idea is to encode them using another app, then drop them in the normal iphone app just for decoding and processing.
I have drooped encryption because 1st, I don't need something with strong encryption, and 2nd because of the app store procedure for encrypted apps.
Can anyone suggest me how to proceed? What is the simplest (not the best in terms of encryption) method implement?
Please assist!
iPhone applications are "sandboxed", meaning that applications cannot read each other's data; each application has associated with it its own username and group, along with its own set of folders that it owns. An application cannot access the folder or data of another iPhone application. Therefore, the requirement doesn't really make sense. You should simply use NSDictionary -writeToFile:atomically, and NSDictionary -initWithContentsOfFile to read/write the data to/from a PLIST. If you need to add encryption (because you are worried about two people sharing the iPhone, or something like that), then I suggest you encrypt the individual entries before placing them in the dictionary.
Edit
Based on your comment below, it appears that you are trying to prevent people from pirating your application, rather than trying to protect user data as the question implies. Unfortunately, it is always possible to pirate an application. Anything ranging from obfuscation to using certificates to asymmetric encryption to running a checksum over the application binary can all be bypassed or defeated. The best way to deter piracy is to have a quick iteration cycle and to place most of your data in the cloud, where it is frequently changed and updated, as doing so diminishes the value of any pirated snapshot of the application. That said, it is generally a good idea to consider software piracy as simply a cost of doing business. Most users will not pirate the application, and since all the various methods for protecting your application can (and will) be defeated, the costs of implementing such things is generally not worth it.
Take a look at the NSDataWritingOptions of NSData. There is built in encryption for binary plist files. I've never used it so I don't know how easy it is for someone with developer's tools to defeat it. It should however provide protection against casual thievery.
However, if your worried about about other developers stealing your content, your best protection will be copyright. Copyright protects content, that's what its for. Make sure to include a copyright in the actual plist as part of the data. Stick a copyright in every resource file e.g. images.