I want to create an app which holds sensitive information (imagine it's bank account details, thought it's not). The user enters this information on a form the first time the app starts up. I want this info to be saved, and available, any time the user uses the app (without having to enter a password). However, if the iPhone has a password lock on it, and is stolen, I don't want the data to be easily accessible from the file system.
What is the best way of encrypting or obfuscating the data? There is not a lot of data, just a dozen NSStrings from the UITextFields on the form.
I'm aware there are encryption export restrictions on the iPhone for non-US developers (I am in UK), so I would prefer to avoid going jumping through any of Apple's app submission hoops to get it on the store.
Why not use the built in Keychain Services? That's what it is for.
EDIT: There an article in SDKDevFAQ.com about Keychain Services that points to a tutorial and sample code on github. Also, check out this blog entry about using the Keychain.
I don't know if a jailbroken iPhone device lets you read NSUserDefaults from other applications or not. If not, you could just store your information in there instead of as a file.
Alternatively, you could generate some salt based on (but not equal to) the device ID, and simply XOR it with the bytes of the strings. As long as your algorithm to generate the salt isn't trivial and the strings aren't too long, the data will be fairly safe. Without getting into heavier encryption stuff, you can't guarantee too much more than "fairly safe".
Related
is the data stored on an iPad/iPhone encrypted?
I assume that the iPad/iPhone has an advanced pass code (not just the 4-digit code).
So my question is if data that my custom app stores in the device is encrypted or not (if no special methods are taken in the source code of the app). Would an attacker be able to read the data? What if he jailbreaks the device?
Thanks!
The answer is no if you don't apply any encrypting technique on it. You can try to use iExplorer to browse all the sandboxes of your device's applications. You may get surprised about the security of many apps out there.
I am just starting getting familiar with security in iOS, but from what I read and understood from Apple's IOS Security whitepaper, files are encrypted by per file encryption keys and those are encrypted by class keys assigned by the application that owns the files (which are sandboxed with the application). And then, the files access depends on the protection policy you assigned in your application.
However, from this answer, it is unclear if the encryption is always on, or just when the device if off or unlocked.
In any case, the above applies from non jailbreaked systems (not sure if they do for jailbreaked ones as well).
According to Apple documentation and other documentation I have read about on disk encryption on an iOS device, it seems that in order to take advantage of the advanced encryption of the device the user must have a passcode enabled so that when you use the NSDataWritingFileProtectionComplete attribute it will encrypt.
What if the user does not have a passcode set but I still want to ensure the files are encrypted? What options are there for this scenario?
Thanks!
Flea
iOS includes several APIs for encrypting data. The automatic on-disk encryption is a user-selected option that lets the user encrypt all the data written to the device's secondary storage. If you need your data to be encrypted whether or not the user chooses to turn on that option, encrypt the data yourself using one of the options provided.
Unless you really know what you're doing (and even if you think you do, you probably don't), it's generally a better idea to use the provided APIs which you can expect to have been written and reviewed by experts.
If you plan to distribute your app outside the US, and you use encryption, you will have to comply with the US Bureau of Commerce restrictions. If you use Apple's provided APIs and you are only using encryption to protect your content, you will be able to distribute your app internationally (according to Apple's iTunesConnect FAQ.)
However, if you write the encryption yourself you will have to go through a review process with the US government.
I've written more than one app that encrypts content on a server so it can be protected even after it has been downloaded to the device.
Even Apple's encryption doesn't prevent someone from making an unencrypted backup or mounting the device as a filesystem and taking the media files your app might have downloaded.
So, to protect your content you must encrypt it yourself. And, you must only decrypt it in ram and never as a temporary file in flash memory (which could be copied off the device.) This makes serving encrypted movies and PDFs a bit challenging. I use a decrypting web server thread; however, there are more modern approaches including a file-level delegate approach that might work better.
I'm concerned about a password to an outside service on the web that I now hold as a clear text string in my iPhone app. The problem is if a hacker buys the app and downloads it into a jailbroken phone. He can inspect the binary code to extract the password string and cause havoc.
I'm sure this is a common problem and has a common resolution but I'm mentally blocked on how to protect the string. If I utilize some form of encryption won't I then open a can of worms for disclosure re international laws regarding encryption ? Anyway, as the decryption would be done programatically within the app in order to use the password, that can be reverse engineered.
What is the recommended route here ? Thx.
The answer is clear once stated. But it was not for a long road of thought. The web service password was needed by the app before it could retrieve anything from the net. Even if it were to be put into the keychain it was in clear text in the app bundle, ready for pleasure seekers looking for the password prior to being first run.
The answer was to encrypt the web service credentials at the desktop and put the encrypted string into the app, which could then be decrypted later when needed fo use. This removed it from being inspected as clear text by a jailbroken phone prior to ever running the app.
Save your password in the Keychain (documentation linked for you).
Never in NSUserDefaults (where everything is in the next best thing to clear text).
Here is a tutorial with some useful info that you can get more information from.
So I am working on a test app that downloads files locally to the app file storage sandbox. Some of these files may be sensitive and need to be protected. My app has a login mechanism, so you wouldn't be able to access the files if you didn't have a login, so my main concern is the ability to sniff the contents (Perhaps on a jailbroken device??).
Now I was wondering if the best method to protecting these files is to encrypt each one independently? Or perhaps there is a way to encrypt the whole sandbox? Or is it encrypted by default? Has anyone ever done anything like this before?
I apologize for the long string of questions, I am trying to gather as much info about this as possible before making a design decision...
Thanks!
You might want to look into the File Protection mechanisms in iOS 4 and later. That provides a way to mark a file as "protected" so it will be stored encrypted on disk at all times, only accessible when the device is unlocked (with a passcode).
See also this question
You can encrypt the whole sandbox using the OS if you target iPhone 4 with OS 4.x. Even then, iOS has this concept of an 'escrow keychain' which is basically a cache of passwords and can he potentially hacked into. As far as I am aware, Mail is the only app that encrypts everything.
In order to encrypt your application data in this way, you just need to set the appropriate NSFileProtectionKey as documented in NSFileManager. But, as mentioned, this is not entirely secure.
You could try a custom category on the file manager that encrypts files based on your own requirement so that you have encrypted documents. The choice is yours.
I have a iPhone app which needs to have a self destruct option. This app is going to be use on sensitive locations and holds some algorithms which are not to be known by anybody except the iPod Holder.
What would be the most "complete" way of deleting the app?
I was thinking of some how writing zeros to the nib file. or the actual application.app but I believe this folders are write protected and sandboxed.
Anybody have any ideas of better ways to achieve this?
Elaboration (Taken from original poster's comments):
This is for a jailbroken iPhone.
These devices are going to be provided to military personnel this device falling into enemy hands would be the least of my concerns. It's going to have a button so wipe the app once the app is written to zero or better yet corrupted with garbage all over the "exe" the app has no way of working and it would require inspection of the iPod flash chip with equipment that i 100% know the wrong people wont have
If you are openly storing the code that contains this algorithm within your application, there's nothing stopping the "wrong people" from jailbreaking the device and copying the complete file structure of the device before you run your "wipe" process.
Additionally, if you are dealing with a U.S. Government customer, I doubt that they will approve of the purchase of a jailbroken device, given that the vendor of such a device has claimed that jailbreaking is illegal. Whether or not this will hold up in court, the government tends to be conservative in these matters and err on the side of caution. Because Apple is a large U.S. company and a vendor to the government, I wouldn't expect the government procurers to take the jailbreakers' side in this.
My recommendation would be to encrypt the particular algorithms within a file in your application's bundle, and require the user of this application to decrypt this file into memory with the correct (difficult) password. That way, even if the "bad guys" were to gain access to the application, they wouldn't have everything they need to access these algorithms and would have to brute-force the password on the encrypted portion. This could be done on a standard, non-jailbroken device.
The U.S. Army is rolling out iPods in the field, with custom applications on them, so I'm sure that you're not the first person facing this challenge. If this work is being funded through a Department of Defense SBIR grant (or similar), you may even be able to contact your contracting officer and see if they can put you in touch with people at the appropriate agency who may be able to help you out with this (or even determine if it an issue to begin with).
I'm going to go out on a limb here and say you may not want to use the iphone for this type of app. There are intentional limitations to this exact type of action on the iphone and in springboard. If you are doing something so sensitive that it can't fall into unauthorized hands my recommendation would be to use a different and more customizable/controllable platform.
Unless you're working from a jailbroken device, you're probably going to run into problems here.
Even if you can find a way to automatically delete the app, you're still running the risk of those algorithms getting into the wrong hands - you would essentially be running into the same problems that Apple has with jailbreaking - once the device is in someone else's hands, it only takes the proper amount of motivation for the data to be accessed.
The only way to secure your algorithms is to pass the data to a remote server and get the results. There's still a possibility of a security breach, but it's much, much lower.
I don't know how well this would work, but you could store the algorithm as a file inside the application bundle, run the algorithm from that file possibly using a scripting language or something, and delete that file if you need to.
The folders are sandboxed, but your application is in there. On my jailbroken iPhone I see that all the permissions are owned by mobile so I don't see any reason why you can't just overwrite all the files with zeroes and then delete them.
The application bundle is effectively read-only, perhaps you should store some of the information in an encrypted form somewhere on a network.
Even if you find a way to write over the app in the flash memory, you really aren't erasing the app. Flash memory chips use wear leveling algorithms to reduce writes to the same blocks and so when you write out zeroes they are typically written to a new block of memory and not to the same block used before, so you really aren't erasing anything. The data can still be recovered from the flash chip (by a pro).
Another option is to separate out the parameters of the algorithm so that the algorithm is no longer sensitive (or at least not usable) and provide the parameters encrypted in a file. Then provide the key to authorized users via the network and don't store that key into flash, only RAM. They would need to get the key every time they start the app. Only give the key to authorized users. Of course, you'll also need to encrypt that key for transmission over the network with another key... There are systems for doing this, don't invent your own, in any case you'll need a crypto expert to do this right.
I would use the built in encryption to store the data, with a key the user has to enter to decrypt it. Without the key it doesn't matter if the data blob is recovered from the device.