I'm creating a banking application for iOS that is transferring sensitive encrypted data from an azure mobile backend to an iOS device. What is the best way to go about decrypting this data on an iOS device securely? What protocols should be used? What third party libraries / services? Are there standards for financial applications that I should be aware of?
I've heard things thrown around such as EKS encryption with SQL, SSL, RSA / Diffie Hellman encryption, AES-128 being a standard practice etc etc. Is there anything practical to implement without delving into low level C code?
SSL works for data in transit, Pin the certificate.
AES128 is fine for data at rest but the key must be good and secured.
On iOS put the key Keychain, there is no more secure method.
If you need to store a key on a server that is more of a problem keeping it secure.
Finally at a minimum use two factor authentication on the server.
My solution ended up being to use AESCrypt (github: https://github.com/Gurpartap/AESCrypt-ObjC)
This proved to be as simple as dragging the class files into XCode and calling
[AESCrypt encrypt:secret password:password];
[AESCrypt decrypt:secret password:password];
Thanks for the help! I will probably end up implementing some sort of CocoaPods supported platform later on, but this will work for now.
Related
I have the scenario as explained below.
Background
--------------
I have 3 types of devices/users in my ecosystem. One type of device is Android, other is Apple iOS and third kind of device[user] is the cloud application.
Scenario
-------------
So my use case here is that either of the Android or iOS could be the producer of some 'data key'. And I am using Android Key Store on Android to do encryption/decryption while I am using the Secure Enclave on iOS for encryption/Decryption. The public key will be fetched from some common data store.
Scenario 1: iOS device fetches the public key of android device[user] from central data store and encrypts the data key using this public key using its Enclave algorithm and puts the encrypted data key on central data store.
Now Android will fetch this encrypted data key and will try to decrypt this using its private key on AndroidKeyStore.
Now here the challenge is how can I choose the same algorithm specification salt/padding/MGF1 etc. in order to successfully decrypt the data key? I want to have this kind of compatability?
I can handle the cloud application[user] by changing the java options as this application has been written in java.
Scenario 2: The second scenario is just similar to the scenario 1 above but in this scenario Android is encrypting and iOS is decrypting.
My Approach On this So Far :
I am thinking of using some independent security provider for example Bouncy Castle for all the encryption and decryption activity on either device or cloud application instead of using the on-device encryption/decryption.
But this is not so secure and will have the plain private key stored in memory of the application and hence increasing the risk.
I am sure this is not the first time this problem is being solved and there must be some approaches/algorithms available to make this happen.
Could some one please guide me on this.
I am using base 64 bit encryption for encrypting the string while sending request over the network in some web apis.
Please let me know in iTunes connect, should I select yes for encryption?
Thanks in advance!!!
As far as you are sending encrypted content over network using iOS's encoding technique base64 encoding, you need to mark it as NO.
You are not using any encryption techniques like AES, DES, RSA, so you are not using encryption at all.
Base64 is not encryption - It is an encoding technique.
Question : Is your app designed to use cryptography or does it contain or incorporate cryptography?
Answer : "YES" to the question if your app is using encryption. Some
examples of encryption use include:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
Answer “NO” if your app does not use, access, implement or incorporate
encryption.
Question : Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the
encryption in Apple’s iOS or macOS?
Answer : "YES" to the question if your app implements industry standard algorithms such as AES, DES, RSA, and so on, instead of or in
addition to accessing or using the encryption algorithms available in
Apple’s iOS or macOS.
Answer “NO” if your app does not implement industry standard
algorithms instead of, or in addition to, accessing or using the
encryption algorithms available in Apple’s iOS or macOS.
For more information visit Q&A for iTunes Connect.
Update for Comment about ATS :
NSAllowsArbitraryLoads
Since release of iOS 10 and later, and macOS 10.12 and later, by setting this key as Boolean value YES, disables App Transport Security (ATS). Which may result in rejection of Application from App Store Review.
Use of this key triggers App Store review and requires justification.
So it is recommended to use HTTPS server with TLSv1.2 support.
Enabling this key can also be useful for debugging and development.
NOTE: Disabling ATS allows connection regardless of HTTP or HTTPS
configuration, allows connection to servers with lower Transport Layer
Security (TLS) versions, and allows connection using cipher suites
that do not support perfect forward secrecy (PFS).
This key’s default value of NO results in default ATS behavior for all
connections except those for which you have specified an exception
domain dictionary.
I am wondering what is considered the most secure way of two apps exchanging data within Cocoa Touch env.
I am very much new in iOS development and swift development and I am just looking to explore another part of the OS capabilities.
I read about App Groups sharing a location (directory) where files can be exchanged but also about URL schemas between apps to share data.
Are there any other ways of inter-app data exchange? And which is considered the most secure one?
It depends on what you consider secure, but the iOS Keychain may fit your needs. The iOS Keychain is password protected and can be accessed by other applications that you authorize.
Take a look at the official Keychain Services Programming Guide and this article explain how it works.
I need to develop some simple demonstration of an application reading a file over HTTPS and saving it to the local memory (internal or external) of an iOS device (e.g., an iPhone), in a way that it is only accessible to it. So, application-specific file encryption is required.
The "Advanced App Tricks" page of the Apple iOS Developer Library, in the "Protecting Data Using On-Disk Encryption" section, seems to imply that a file encrypted on disk, via either Default (i.e., iOS filesystem) or "Complete" Data Protection, would be accessible by all applications, after the user types the device's lock code.
If that is the case, could someone please suggest the best way of implementing file encryption per-application on an iOS device, with a password request when a user tries to open the file? Any sample code would also be very helpful.
Also, does "software encryption" apply to iOS anymore? Both Default and Data Protection encryption seem to be hardware-based.
Thanks!
Application files are not accessible between Apps. Each App is individually sandboxed.
In all cases the document is talking about the access available to "Your App"/ It is never accessible to another App. But see below. Sone of the protection options help cover what and when "Your App" has access to the file when in the background.
JailBroken iOS devices will have greater file system access so adding "Data Protection" will protect from this vector.
See the document session on The iOS Environment and particularly the section "The App Sandbox" iOS Environment
Hardware encryption: There are a few things that hardware encryption provide. 1. Speed. 2. The encryption method can not be changed, that is as with software encryption there is no code that could be compromised. 3. The key can not be accessed. The key is in some manner placed/created in the hardware and the hardware will does not allow read access (there are occasionally very secure export capabilities). The device is asked to perform crypto functions on data and returns data. Examples of this are smart cards, HSMs, TPMs and TPM Equivalents, the iPhone has a TPM Equivalent and that is used for the Keychain. By chance my wife and I were discussing this very topic yesterday. :-)
As far as I know, for encryption of bulk data, iOS does use special hardware instructions to aid AES encryption for speed but that would not be considered hardware encryption due to the key being available in software. There is a little guessing here due to the lack of information about the Apple A-series ARM chips, it is true of the Intel chips in Macs.
I am creating an app that would allow people to share sensitive info with each other via the iphone sms app. I want to make use of the security framework that apple provides, using keys that the people sharing that data know before hand to encrypt and decrypt strings. I don't have much knowledge about the whole keychain system on iOS devices or security protocols in general so does anyone know any good resources for learning about this stuff?
Try
http://useyourloaf.com/blog/2010/3/29/simple-iphone-keychain-access.html
http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code
http://dev-metal.blogspot.com/2010/08/howto-use-keychain-in-iphone-sdk-to.html