Secure Persistant Caching in an iOS Static Framework - ios

I am currently in the process of writing a static iOS framework that connects developers to my API and returns to them objectified information at their user's requests. However, in order for this framework to be worthwhile, one of the requirements is that this framework must be able to cache the information locally and return an offline copy when a network connection is unavailable. I am aware that I can store this information in NSUserDefaults but there may be a case where the information that is cached may be private and the local developer should not be able to have access by guessing the proper key. I believe that best approach will involve some sort of encryption but I wanted to see if there were any other storage options available to a static framework other than NSUserDefaults.
I would like to keep my data in an objectified format if possible. Two solutions I would be interested in exploring would be to save my offline data in either SQLite or CoreData. However, with both of these approaches I am concerned about how these files would be stored in the framework (I already have an embedded framework) and the security issues of having the schema for these files available in the bundle for the developer to see.
Another solution that I am looking into would be to see if iOS supports any tools such as gzip that could be used to password protect my files until they are used by the framework.
Has anyone successfully overcome any of these issues? Is there anything else I should be looking into besides the previously mentioned possible solutions? Any advice will be warmly welcomed.
Thanks.
P.S. Does anyone know of any resources I could go read relating to iOS Security or static frameworks? Either would be very helpful.

Related

What is the best way for an iOS app access data from a public website without overloading it?

I would like to use some publicly available data from a government website as a source of data in an iOS app. But I am not sure what is the best / most polite / scalable way have a large number of users request data from this website with the least impact on their servers and best reliability for me.
It is 1-50kb of static XML with a fixed URL scheme
It updates with a new XML once a day
New users would need to download past data
It has a Last-Modified header but no caching headers
It does not use compression or a CDN
It's a government website, so if someone even replies to my email I doubt they are going to change how they host it for me...
I'm thinking I could run a script on a server to download this file once a day and re-host for my app however my heart desires. But I don't currently run a server which I could use for this and it seems like a lot just for this. My knowledge of web development is not great, so am I perhaps missing something obvious and I just don't know what search terms I should be using to find the answer.
Can I point a CDN at this static data somehow and use that?
Is there something in CloudKit I could use?
Should I run a script on AWS somehow to do the rehosting without needing a full server?
Should I just not worry about it and access the data directly??
You can use the AWS S3 service (Simple Storage Service).
The flow is somewhat like this:
If the file doesn't exist on S3 yet, or, if the creation date of the file on S3 is yesterday, the iOS app downloads the XML from the gov site and stores it in S3.
If the file exists on S3 and is up to date, download it from S3.
After that, the data can be presented by the app without overloading to the site.
I think the best way for you is to create an intermediary database where you can store your data in a secure manner.
Create a pipeline that does some data transformation and store in you newly created database.
Create an api with pagination and you desired filters
Also make sure you are not violating any data policies in the process.
I hope this helps.

Are ios local database in apps secured? How to secure them?

in 2017 I would like to make an ios App for iphones/ipads in which I will have a database.
The database is the result of 7 years of research. This database is highly important to us. If it gets stolen, it could destroy our business.
Our idea is a medical app.
Users put their symptoms and it queries the database that gives the disease.
A developer told me it was not possible to protect the database. So its offer was simple : the symptoms are asked locally, then it generates a code that is sent to a server (internet). The server reads the code and process the query and sends back its result. The security is done on the server and not on the ios App. I dont like that solution as it is not local.
Another developer told me it was possible. The database is encrypted and decrypted in the RAM. It is highly secured. At least as secured as a server.
I dont know what to think, but I really would like to have your lights.
I would like the database to be highly secured and the app to work in local (no internet).
Thanks for your help
PS: I forgot to add that users never write on the database. They are just using it...
In my openion
If the data is extremely sensitive then it should never be stored offline on the device because all devices are crackable.
The keychain is one option for storing data securely. However it's encryption is based on the pin code of the device. User's are not forced to set a pin, so in some situations the data may not even be encrypted. In addition the users pin code may be easily hacked.
A better solution is to use something like SQLCipher which is a fully encrypted SQLite database. The encryption key can be enforced by the application and separate from the user's pin code.
Other security best practices are:
Only communicate with remote servers over SSL/HTTPS.
If possible implement certificate pinning in the application to prevent man-in-the-middle attacks on public WiFi.
Clear sensitive data out of memory by overwriting it.
Ensure all validation of data being submitted is also run on the server side.

Is it possible to substitute a server backend using Dropbox?

I am developing an iOS application (to be deployed on the App Store) that requires content updates on a weekly basis.
I understand that the best way to achieve this would be to use a server, where the app would query for new data and download responses in JSON. However I am not knowledgeable when it comes to HTML, PHP or MySQL and therefore am endeavoring to find an alternative.
Here's an idea: using Dropbox to substitute for a server backend. My app connects to one central Dropbox account, checks for new files, and downloads them if present.
Is this idea feasible? If not, are there any alternatives?
Dropbox cannot be a dependable substitute for your server/backend for following reasons:
Dropbox uses OAuth for authentication, which needs user interaction. You do not want your app users to go through Dropbox authentication with your 'common' credentials.
Users who have a Dropbox account or the app installed, will most likely use their own credentials to login which completely breaks your flow.
Drobox, although a good way of sharing and syncing files is not meant for more meaningful data like web services etc or user/database interaction etc. Just syncing JSON file may suffice your app's needs for now but from a long term perspective you want a proper back end.
As suggested in the comment by #tkanzakic you can use one of the substitution services if you don't want to get too technical on the backend.
I am pretty late to the party, but this is possible and not necessarily a stupid idea (though this depends on what you need). You might want to have a look at remote storage for example, which allows you to use Dropbox among other providers as backend.
For sure, you can use the Dropbox Sync API to achieve this (https://www.dropbox.com/developers/sync).

how to synchronisation over multiple mobile devices

Is there anyone who worked out a synchronisation plan for a mobile application? I've been searching for it, but can't find a good example. I'm looking for a plan such as I think evernote uses to sync the files on the mobile phone with the backend.
My current plan:
- when you start the app: all your files will be downloaded from the backend using you username and password
- when you create a new object and there is network connection: object is stored localy in the core data (IOS), and transferred to the backend
- when you create a new object, but there is no network connection: the object is stored locally, and transferred when you are connected to the network and press sync.
All suggestions are welcome!
tahnks!
Sorry, I did forget some important information...
I'm using a grails backend
the frontend (mobile application) is an IOS app
Is there a good way to make sure there are nog file/version conflicts between the different devices?
You cold use various ways.
At my advice, the best one is to use the Parse framework. It is very easy to use and simple. Log in and save objet all in one. Please visit this: http://parse.com
Otherwise, You can use iCloud to store and synchronize your objects.
Find the Mobile Backend-as-a-Service (MBaaS) that fits your app best.
This link can get you started in your search.

Best Way to Store Device Configuration for iOS Application

I am developing an iOS application that is more of a permanent install type application, and it will be different per client. So, I'm looking for the best way to install some type of a configuration on the device that the app can detect and in essence 'lock' it into a specific setting for a client. I want this to persist even if an application is deleted.
Something like a mobileconfig file would be neat, but I don't think those can contain undefined variables or be read by the applications.
I'm curious what the best and cleanest approach would be for this.
As the other answer and comments have said this cannot REALLY be done without the device being jail broken. However... There is a possible alternative.
You can use OpenUDID or SecureUDID to create a unique identifier, then create the configuration in your server database. The application will connect to your server to obtain the global configuration should the configuration file not exist. This way, if the user uses your application, then deletes the application and then reinstalls it, you will still have their configuration which the application can redownload and store locally on the device.

Resources