How can I protect files in my application "Documents" directory? Using iFunBox, or another application like it, anyone can to see, what application store in it's documents directory. So if I want to store some private data, or information about in-apps status, gold, achievments or something else just in .plist-files it will be not safelly.
Maybe there is a best-practices for iOS application how to secure and protect their data?
It is not possible to truly secure data from the user. It is naturally secured from other applications, but the user is always able to get access to everything on-disk or in memory.
That said, if you have data that the user is not supposed to access, then you should not store it in Documents, since this is backed up via iTunes. You should store it in Library. See "The Library Directory Stores App-Specific Files" in the File System Programming Guide for details on each possible location and how it is treated by the system.
Applications you make for iOS are sandboxed, i.e., the apps feel like they are the only thing on the system. As a result, they cannot access any place outside the app. You are restricted to using the Documents, Library folders which are visible to applications like iFunBox.
Your best bet is to hash out the data and then store them to files, so that if anyone tries to edit your files it results in a hash mismatch, that you can read in your application, and make your data secure.
Related
I have created a framework in iOS, now I want to save some data within the framework so that the app don't have access in that and library can change the data whenever required , what is the best possible way to do it , taking all security issues into consideration ?
The only way of making it private to the framework/library is to encrypt the data as the app has the same level of access to files as the framework/library.
Also note that data is not saved into the framework itself, but into one of the many folders made available to the app (i.e. Application Support, Caches, Documents, etc.).
I don't know what you mean by "taking all security issues into consideration", however if you mean "make it impossible to access" then that won't happen as you will need to use a key to encrypt the data and it won't be possible to hide the key from a dedicated and skilled attacker. You will deter the casual user, however.
I am learning iOS file system to store my game data like saving the amount of money earned and things like this in a xml file.
The question is where should I store them?
I read this: File System Basics
And I don't know that I should save data in Documents directory or Application Support directory.
Because the data I want to save is something that is not associated with user's documents and user will never see it so it should be in Application Support, but on the other hand it's something that is affected by user interactions so it should be in Documents.
I think it is the Application Support/MyGame as per the Apple Developer guide link shared by you. You are confused by the fact that it should not be something affected by user interaction. Actually it means user should not directly interact with these. See this from the link: File System Basics
Using something like Parse may slow down your app as it needs to interact with their server, but you do get a backup.
For something of this size, I'd use a mobile backend solutions provider like Parse or Firebase. Personally I use Parse in my projects and is very easy to implement advanced functionality into your apps like user registration/save data to users.
Hope this helps.
I'm learning to build iOS swift apps, and I'd appreciate guidance on what storage options to use for different parts of my app. Perhaps examples of how other professional apps architect their storage would be helpful too.
To be specific, I see my options as
an independent MySQL DB
amazon s3
core data
nsuserdefaults
keychain
The app allows users to see/stream/download/upload videos and photos to their account/app as well as do all the normal voting, customizing user preferences, etc. This is an arbitrary app example though. A social media app storage would also be a good case study for me.
Given the variety of functionality to implement, I'm curious as to the best practices for storage architecture in maintaining sessions, persistence, and security.
Right now all I've implemented is having the user create an account and login by doing http requests to the MySQL DB. And i upload and download media from my s3. Each time user data is pulled anew from the DB.
Should i cache/archive stuff into coredata to make it faster for the user?
If a user wants the app to "remember me", where is that data stored?
Instead of straight http calls for logging in, should i do something with keychain? (keychains are the only thing i haven't implemented yet in that list. The rest I've messed with independently)
I've also heard nsuserdefaults is only to be used for user preferences.
Thanks for all advise.
Yes You should use core data for better performance.
Core Data would be a much better tool for the job:
->No mismatch between cache index file and actual data stored;
->Trivial querying;
->Nice and easy object oriented code.
NSUserDefaults
If you want to add Remember me option you have to use NSUserDefaults. It will store in plist file. For more information you should go through this.
KeyChain
Sensitive data like passwords and keys should be stored in the Keychain. Apple's Keychain Services Programming Guide states that a "keychain is an encrypted container that holds passwords for multiple applications and secure services. Keychains are secure storage containers, which means that when the keychain is locked, no one can access its protected contents". Moreover, in iOS, each application only has access to its own keychain items.
You interact with the Keychain by passing in a dictionary of key-value pairs that you want to find or create. Each key represents a search option or an attribute of the item in the keychain.
I am trying to understand something that is not clear to me about the storage and access of additional content downloaded from my own server to my iOS app. Clearly this is possible, see the section called Downloading Content from Your Own Server . I understand how to process receipts and how to make a call to my server. What is not understood is:
When I initiate a download from my server what file type does the download need to consist of? Can it be anything I want?
Where I am a supposed to store it on the device considering the app bundle is not allowed to be updated?
How does my app access the data?
In the simplest of cases, say I am delivering an xml or json file I guess most of the above would work like this: store the file in the documents directory, use filepaths in the app to access and load the data.
However what if it is something more complex that includes say images and other data that should be accessible just like other resources in the app bundle are accessible?
The crux of what is not clear to me is what type of data can be delivered, if it is anything I desire (which I presume it is) and I have complete control of the data type, where should this data content be stored and how can I enable my app to access this data as seamlessly as possible. For a concrete example suppose I am making a game, the first level is included in the app bundle, I deliver the second level via my own server, now, can I load that level the same way I load the one in the app bundle?
If there is a link or documentation I can pointed to that would be helpful but I have not found anything just yet, perhaps it is the concept of the app bundle that is most confusing because on a regular program I can do whatever I wish and things are not so unclear.
I use my app to download file then I save into IsolatedStorage.
Can someone hack and get my files or folders from my app?
I do not know how IsolatedStorage protects its data? Do we have another ways to protect data in IsolatedStorage?
Yes your data is vulnerable.
If this data contains user details, like emails, passwords or even personal information then this should be made secure.
If you are storing information about a user's favourite colour or favourite car then this CAN be deemed as "not sensitive" and you will then have to decide whether you want to protect this.
Always assume that people can get at your data. It's just a matter of time before they can access it (just look at how people have jailbroken the iPhone and a vast array of other smart phones for that matter).
Remember Security is not obtained through Obscurity
The following link has good answers in relation to Isolated Storage on Windows...
https://security.stackexchange.com/questions/5660/how-secure-is-isolated-storage-on-windows
From within a managed application it's not going to be possible to access the Isolated Storage of another application. However from native code that's another matter, and WP8 has support for native code...
http://msdn.microsoft.com/en-us/library/windows/apps/jj681687(v=vs.105).aspx
Plus The following article asserts that there's only a registry in the way of a hacker who wants to get unmanaged code on to WP 7.1...
http://www.wpcentral.com/let-hacking-begin-how-windows-phone-7-can-run-native-unmanaged-code
So on WP7 it's pretty clear your app shouldn't store any sensitive data in isolated storage on WP and on WP8 it's even clearer. If you can avoid putting sensitive data in isolated storage do so, otherwise you'll need to encrypt the data, and then of course you need to consider the security of the encryption and the keys used to decrypt and encrypt the data. The following looks like a good guide on how to do that best...
http://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx
At the end of the day security is nothing more than a series of hurdles for a hacker, ultimately they'll probably get access to the data if they're really determined and have the skills and resources available to do so.