I have created a framework in iOS, now I want to save some data within the framework so that the app don't have access in that and library can change the data whenever required , what is the best possible way to do it , taking all security issues into consideration ?
The only way of making it private to the framework/library is to encrypt the data as the app has the same level of access to files as the framework/library.
Also note that data is not saved into the framework itself, but into one of the many folders made available to the app (i.e. Application Support, Caches, Documents, etc.).
I don't know what you mean by "taking all security issues into consideration", however if you mean "make it impossible to access" then that won't happen as you will need to use a key to encrypt the data and it won't be possible to hide the key from a dedicated and skilled attacker. You will deter the casual user, however.
Related
I just wanted to do a quick sanity check with StackOverflow to confirm my suspicion. I'm creating an app and was tempted to use FMDB in Swift to store some data.I am treating this data as public in the sense that I assume it can be tampered with (and thus untrusted). This is because, after all, unlike a web app, this app runs on a user's device and thus they can access the .sql file and alter the database.
If I wanted to store information like if a user purchased something, unlocked certain weapons, or other data that I do not want to be altered in any way, I should not use a local database on the user's device.
Would you say this is correct and safe to proceed under this assumption? If I was looking to use the database to persist something important that took place, what would be a good approach? encryption with the key in the app, or maybe a hash or something?
If you want to secure your database, FMDB includes hooks for SQLCipher, which you have to obtain separately. See the various FMDB Encryption Methods that you can use once you have SQLCipher included in your project.
I'm learning to build iOS swift apps, and I'd appreciate guidance on what storage options to use for different parts of my app. Perhaps examples of how other professional apps architect their storage would be helpful too.
To be specific, I see my options as
an independent MySQL DB
amazon s3
core data
nsuserdefaults
keychain
The app allows users to see/stream/download/upload videos and photos to their account/app as well as do all the normal voting, customizing user preferences, etc. This is an arbitrary app example though. A social media app storage would also be a good case study for me.
Given the variety of functionality to implement, I'm curious as to the best practices for storage architecture in maintaining sessions, persistence, and security.
Right now all I've implemented is having the user create an account and login by doing http requests to the MySQL DB. And i upload and download media from my s3. Each time user data is pulled anew from the DB.
Should i cache/archive stuff into coredata to make it faster for the user?
If a user wants the app to "remember me", where is that data stored?
Instead of straight http calls for logging in, should i do something with keychain? (keychains are the only thing i haven't implemented yet in that list. The rest I've messed with independently)
I've also heard nsuserdefaults is only to be used for user preferences.
Thanks for all advise.
Yes You should use core data for better performance.
Core Data would be a much better tool for the job:
->No mismatch between cache index file and actual data stored;
->Trivial querying;
->Nice and easy object oriented code.
NSUserDefaults
If you want to add Remember me option you have to use NSUserDefaults. It will store in plist file. For more information you should go through this.
KeyChain
Sensitive data like passwords and keys should be stored in the Keychain. Apple's Keychain Services Programming Guide states that a "keychain is an encrypted container that holds passwords for multiple applications and secure services. Keychains are secure storage containers, which means that when the keychain is locked, no one can access its protected contents". Moreover, in iOS, each application only has access to its own keychain items.
You interact with the Keychain by passing in a dictionary of key-value pairs that you want to find or create. Each key represents a search option or an attribute of the item in the keychain.
I would like to sync a core data app with a user with a different iCloud ID and I am trying to figure out the most graceful way to do this. I do not want the data to sync with all users, but want to be able to sync among family members for instance. From the research I have done, I do not think I can do that using iCloud Core Data sync because it only syncs between devices with the same iCloud ID. I have looked at this stackoverflow answer and read a little bit about Ensembles, Parcelkit and TICoreDataSync, Parse etc., but it is not clear to me if any of those options will allow me to sync with multiple users. Does anyone have a good method for syncing a Core Data app with multiple users?
Ensembles and TiCoreDataSync might work. They can use Dropbox file syncing, so in principle they should work with Dropbox shared folders. I don't think these are the main intended uses, so I suggest contacting the developers and/or doing some good testing yourself before assuming this would actually work.
You'll need to think about the user experience, though. At a minimum, your users would both need Dropbox accounts and would have to set up a shared folder before beginning to sync data this way.
Parcelkit probably won't work. It uses Dropbox's data store API which, unlike other Dropbox services, doesn't appear to support shared data.
Services that do support this kind of sharing exist-- for example, Parse and Firebase-- but make sure to review their pricing carefully before using them. Also of course, there have been any number of projects that have their own custom server back end, but that obviously requires having someone on the team who can do that kind of work.
You need to think about other device types (Android at least) if you want your application to be reaching more users.
I'm doing the same now by the following way:
Setup an online database with proper web services (careful with implementation for security matters - DB should NEVER be exposed by anything other than the web services).
Create a Class for your communication with the server (using Class methods with security handling like authentication and authorisation).
Use the class in your app to communicate with the server (SQL operations are done on the server).
To integrate with CoreData you need to create the model in your app similar to the structure in the backend database. Then you need to create a similar class for the app that deals with only local CoreData.
A higher level class might be required if you want to make sure that operations done on both server and local data storage.
Besides, you have to implement a lot of conditions to make sure that data written in local ONLY after making sure that it is stored online (or create an engine for differed operations to run later).
Another Way if you are familiar with notifications:
Use structured notifications between devices for data operations in order to keep everything in sync with other users. The problem with this is the "Autonomy" of the operations. If two operations were done in approximately the same time, you have to find a way to make sure the order of the operations is done properly (maybe timestamp or something).
I'm looking into the same thing for my app and I 'think' you can do a fairly unsecured version of what you are after using using the public folder in cloud kit as mentioned in this question (no accepted answer at time of posting) : Private data sharing using CloudKit
You would need to find a way to differentiate between data that is truly public and those shared among the users you need and some level of authentication.
I'm going to try exporting a permission file with access permission in it to whomever I want to share with combined with a unique identifier located in that permission file.
Keep in mind, as mentioned in the comments of the linked answer, my implementation will be security by obscurity (thanks for that phrase) unless you find a way of adding proper validation to it but my data is relatively insensitive.
Hope this, or any ridicule in the comments, points you in the right direction : )
How can I protect files in my application "Documents" directory? Using iFunBox, or another application like it, anyone can to see, what application store in it's documents directory. So if I want to store some private data, or information about in-apps status, gold, achievments or something else just in .plist-files it will be not safelly.
Maybe there is a best-practices for iOS application how to secure and protect their data?
It is not possible to truly secure data from the user. It is naturally secured from other applications, but the user is always able to get access to everything on-disk or in memory.
That said, if you have data that the user is not supposed to access, then you should not store it in Documents, since this is backed up via iTunes. You should store it in Library. See "The Library Directory Stores App-Specific Files" in the File System Programming Guide for details on each possible location and how it is treated by the system.
Applications you make for iOS are sandboxed, i.e., the apps feel like they are the only thing on the system. As a result, they cannot access any place outside the app. You are restricted to using the Documents, Library folders which are visible to applications like iFunBox.
Your best bet is to hash out the data and then store them to files, so that if anyone tries to edit your files it results in a hash mismatch, that you can read in your application, and make your data secure.
I use my app to download file then I save into IsolatedStorage.
Can someone hack and get my files or folders from my app?
I do not know how IsolatedStorage protects its data? Do we have another ways to protect data in IsolatedStorage?
Yes your data is vulnerable.
If this data contains user details, like emails, passwords or even personal information then this should be made secure.
If you are storing information about a user's favourite colour or favourite car then this CAN be deemed as "not sensitive" and you will then have to decide whether you want to protect this.
Always assume that people can get at your data. It's just a matter of time before they can access it (just look at how people have jailbroken the iPhone and a vast array of other smart phones for that matter).
Remember Security is not obtained through Obscurity
The following link has good answers in relation to Isolated Storage on Windows...
https://security.stackexchange.com/questions/5660/how-secure-is-isolated-storage-on-windows
From within a managed application it's not going to be possible to access the Isolated Storage of another application. However from native code that's another matter, and WP8 has support for native code...
http://msdn.microsoft.com/en-us/library/windows/apps/jj681687(v=vs.105).aspx
Plus The following article asserts that there's only a registry in the way of a hacker who wants to get unmanaged code on to WP 7.1...
http://www.wpcentral.com/let-hacking-begin-how-windows-phone-7-can-run-native-unmanaged-code
So on WP7 it's pretty clear your app shouldn't store any sensitive data in isolated storage on WP and on WP8 it's even clearer. If you can avoid putting sensitive data in isolated storage do so, otherwise you'll need to encrypt the data, and then of course you need to consider the security of the encryption and the keys used to decrypt and encrypt the data. The following looks like a good guide on how to do that best...
http://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx
At the end of the day security is nothing more than a series of hurdles for a hacker, ultimately they'll probably get access to the data if they're really determined and have the skills and resources available to do so.