SQLite Database Security and Tampering - ios

I just wanted to do a quick sanity check with StackOverflow to confirm my suspicion. I'm creating an app and was tempted to use FMDB in Swift to store some data.I am treating this data as public in the sense that I assume it can be tampered with (and thus untrusted). This is because, after all, unlike a web app, this app runs on a user's device and thus they can access the .sql file and alter the database.
If I wanted to store information like if a user purchased something, unlocked certain weapons, or other data that I do not want to be altered in any way, I should not use a local database on the user's device.
Would you say this is correct and safe to proceed under this assumption? If I was looking to use the database to persist something important that took place, what would be a good approach? encryption with the key in the app, or maybe a hash or something?

If you want to secure your database, FMDB includes hooks for SQLCipher, which you have to obtain separately. See the various FMDB Encryption Methods that you can use once you have SQLCipher included in your project.

Related

Best Practice to store local data in ios framework project

I am working on a custom framework which will be used by developers. I am saving some data locally inside my framework for that I am thinking to use UserDefaults but I want to know:
Is it the best method to do so?
If the app UserDefaults are cleared then will it clear my frameworks data also?
I want to know how can I store local data in ios framework. What is the best solution for this?
I am confused about it can anyone help?
It depends on the data you want to store.
If your goal is to keep some settings for your framework (e.g. whether some features should be enabled or not) then UserDefaults will do.
If you want to store user's data (or anything you can get from the server) then you should probably consider using CoreData, which is a native iOS/macOS/tvOS persistent storage.
You can also use Realm database, but it's not a good idea to use it in frameworks, since it will be added to any application which will use your framework (and the developers probably won't be happy about this).
Regarding you questions:
It depends, see above
Yes
Userdefaults is great but at times it turns into a mess if you have alot of information that needs to be stored. Specially the fact that you would need to manage a key/value relationship throughout the app and usually the keys end up being more than 10 plus ..
Just a suggestion but why not use CoreData to manage models and store data in sqlite db on device. When the framework is loaded you can check if the data exists if not then fetch it.
I would suggest using the functionality provided by apple natively rather than going for 3rd party solutions like Realm, with 3rd party you would need to upgrade to their latest version in order to make things work fine.
Please read these to clear any confusion.
https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/
Tutorial on using Coredata:
https://www.raywenderlich.com/7569-getting-started-with-core-data-tutorial

If I make a database on Realm, will it be accessible to my user without internet access?

I'm trying to build my first Swift app and I think Realm may be a good option for my database. This might be a totally stupid question, but will my users be able to access the data on my database without an internet connection? I'm fairly certain that the answer is yes, but I just want to make sure.
As a side note, I want the data to be stored on the users phone (not a server or anything like that)
Thanks for the help
Yep! Realm is a completely offline, local database solution. There's no online component, but if you do decide to, you can sync data from Realm online using third party cloud services like Parse (Or just literally copying the database file to Dropbox).
By default, all data saved with Realm is stored in a file called 'default.realm' in the Documents directory of your app, but you can easily explicitly set where you want the data to be saved.

How does the Parse Local Database store its data?

Is it using core data?
Is the data encrypted in any way? Is there a way a user could maliciously modify it easily?
I have been trying to look for this answer since LDB was announced for iOS, and have not found any information regarding this other than 'it is just like our android implementation'. If this information is stored in plaintext I cannot store sensitive information in it, which is why I would like to know.
I've just created an app that uses the local database, and here's what I've found.
Inside <app sandbox directory>/Library/Private Documents/Parse there is a file called ParseOfflineStore. This is a sqlite database. There are 2 relevant tables inside (ParseObjects and Dependencies), and pinned objects are stored inside ParseObjects.
To answer your questions:
1) No, it does not use CoreData, but it is sqlite (the same db backing store as CoreData).
2) No, it is not encrypted. It's in the clear, stored in the ParseObjects table, in the json column as cleartext json.
It would be relatively trivial for anyone who can hook up iExplorer to the app to download, change, and upload the local database. However, if you have a user who can do that, it's likely they could proxy your app with Charles anyway ;-)

Can IsolatedStorage of Windows phone be hacked?

I use my app to download file then I save into IsolatedStorage.
Can someone hack and get my files or folders from my app?
I do not know how IsolatedStorage protects its data? Do we have another ways to protect data in IsolatedStorage?
Yes your data is vulnerable.
If this data contains user details, like emails, passwords or even personal information then this should be made secure.
If you are storing information about a user's favourite colour or favourite car then this CAN be deemed as "not sensitive" and you will then have to decide whether you want to protect this.
Always assume that people can get at your data. It's just a matter of time before they can access it (just look at how people have jailbroken the iPhone and a vast array of other smart phones for that matter).
Remember Security is not obtained through Obscurity
The following link has good answers in relation to Isolated Storage on Windows...
https://security.stackexchange.com/questions/5660/how-secure-is-isolated-storage-on-windows
From within a managed application it's not going to be possible to access the Isolated Storage of another application. However from native code that's another matter, and WP8 has support for native code...
http://msdn.microsoft.com/en-us/library/windows/apps/jj681687(v=vs.105).aspx
Plus The following article asserts that there's only a registry in the way of a hacker who wants to get unmanaged code on to WP 7.1...
http://www.wpcentral.com/let-hacking-begin-how-windows-phone-7-can-run-native-unmanaged-code
So on WP7 it's pretty clear your app shouldn't store any sensitive data in isolated storage on WP and on WP8 it's even clearer. If you can avoid putting sensitive data in isolated storage do so, otherwise you'll need to encrypt the data, and then of course you need to consider the security of the encryption and the keys used to decrypt and encrypt the data. The following looks like a good guide on how to do that best...
http://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx
At the end of the day security is nothing more than a series of hurdles for a hacker, ultimately they'll probably get access to the data if they're really determined and have the skills and resources available to do so.

Hiding data structure for sqlite file stored on Dropbox, using password protection

I have been searching this thread to find the best way to hide the data structure for a Sqlite file used by Core Data in an iOS app. I have found many questions that address the desire to keep data from the end user, but I am primarily interested in protecting my data structure (and secondarily, to keep the user from messing with his data). I am currently using Dropbox to back up my app's Sqlite file, and as it stands, anyone can open the file and see the data structure. In my new app, I would still like to use Dropbox, as it has worked well so far; but I do not want the end user to be able to open the database file. I just want the app to be able to upload or download the file.
It seems as though encryption of the entire file may be overkill, and I do not want to encrypt individual fields because I am more interested in the structure. I have seen a couple of posts that have asked about password protection/encryption, but usually the answers address encryption, and I have not been able to find much on password protection.
From what I have learned (and please correct me if I am wrong):
1) CommonCrypto would be best for field level encryption and is probably not what I am looking for.
2) OpenSSL and SQLCipher will encrypt the database, but may slow performance (and may be overkill for me)
Is there a simple way to provide password protection for the SQLite file, and still be able to read/write with Core Data? I realize that I would have to store the password within the app, which would make it fairly easy for a hacker, but I am okay with this. I am just looking to provide one extra level of protection for myself (as far as the data structure) and for the end user (so that they can't muck with/mess up their data).
If you are only concerned with the Sqlite file that you are backing up to Dropbox, you can using something lightweight like ZipArchive to zip and password protect your file before saving it.
http://code.google.com/p/ziparchive/
Cheers,
Rog

Resources