I use my app to download file then I save into IsolatedStorage.
Can someone hack and get my files or folders from my app?
I do not know how IsolatedStorage protects its data? Do we have another ways to protect data in IsolatedStorage?
Yes your data is vulnerable.
If this data contains user details, like emails, passwords or even personal information then this should be made secure.
If you are storing information about a user's favourite colour or favourite car then this CAN be deemed as "not sensitive" and you will then have to decide whether you want to protect this.
Always assume that people can get at your data. It's just a matter of time before they can access it (just look at how people have jailbroken the iPhone and a vast array of other smart phones for that matter).
Remember Security is not obtained through Obscurity
The following link has good answers in relation to Isolated Storage on Windows...
https://security.stackexchange.com/questions/5660/how-secure-is-isolated-storage-on-windows
From within a managed application it's not going to be possible to access the Isolated Storage of another application. However from native code that's another matter, and WP8 has support for native code...
http://msdn.microsoft.com/en-us/library/windows/apps/jj681687(v=vs.105).aspx
Plus The following article asserts that there's only a registry in the way of a hacker who wants to get unmanaged code on to WP 7.1...
http://www.wpcentral.com/let-hacking-begin-how-windows-phone-7-can-run-native-unmanaged-code
So on WP7 it's pretty clear your app shouldn't store any sensitive data in isolated storage on WP and on WP8 it's even clearer. If you can avoid putting sensitive data in isolated storage do so, otherwise you'll need to encrypt the data, and then of course you need to consider the security of the encryption and the keys used to decrypt and encrypt the data. The following looks like a good guide on how to do that best...
http://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx
At the end of the day security is nothing more than a series of hurdles for a hacker, ultimately they'll probably get access to the data if they're really determined and have the skills and resources available to do so.
Related
It is also the first time to develop,
I want to make a diary app, but I don't know which database to use because I don't have basic knowledge of the database.
When I click on the calendar, I would like to post on that date
And I also need a picture that needs to be imported.
I can look for it even if I post this. I think it would be the fastest to ask. Thank you for reading my POST and hope everyone who reads has a nice day
Quick Answer: I would recommend persisting data on the users device instead of a cloud based database by using Core Data for the following reasons:
The content may be private or sensitive in nature, keeping it on the device is safer
Media attachments can become costly at scale, saving to device removes that burden from the developer
some cons of this route include the following:
Potential loss of Analytics by not using a cloud database such as Google Firebase
Cloud storage can be backed up in case the user loses their device (assuming they are not backed up via iCloud)
For a more thorough answer I recommend you provide more in terms of your objectives and audience.
I have created a framework in iOS, now I want to save some data within the framework so that the app don't have access in that and library can change the data whenever required , what is the best possible way to do it , taking all security issues into consideration ?
The only way of making it private to the framework/library is to encrypt the data as the app has the same level of access to files as the framework/library.
Also note that data is not saved into the framework itself, but into one of the many folders made available to the app (i.e. Application Support, Caches, Documents, etc.).
I don't know what you mean by "taking all security issues into consideration", however if you mean "make it impossible to access" then that won't happen as you will need to use a key to encrypt the data and it won't be possible to hide the key from a dedicated and skilled attacker. You will deter the casual user, however.
I am learning iOS file system to store my game data like saving the amount of money earned and things like this in a xml file.
The question is where should I store them?
I read this: File System Basics
And I don't know that I should save data in Documents directory or Application Support directory.
Because the data I want to save is something that is not associated with user's documents and user will never see it so it should be in Application Support, but on the other hand it's something that is affected by user interactions so it should be in Documents.
I think it is the Application Support/MyGame as per the Apple Developer guide link shared by you. You are confused by the fact that it should not be something affected by user interaction. Actually it means user should not directly interact with these. See this from the link: File System Basics
Using something like Parse may slow down your app as it needs to interact with their server, but you do get a backup.
For something of this size, I'd use a mobile backend solutions provider like Parse or Firebase. Personally I use Parse in my projects and is very easy to implement advanced functionality into your apps like user registration/save data to users.
Hope this helps.
I would like to sync a core data app with a user with a different iCloud ID and I am trying to figure out the most graceful way to do this. I do not want the data to sync with all users, but want to be able to sync among family members for instance. From the research I have done, I do not think I can do that using iCloud Core Data sync because it only syncs between devices with the same iCloud ID. I have looked at this stackoverflow answer and read a little bit about Ensembles, Parcelkit and TICoreDataSync, Parse etc., but it is not clear to me if any of those options will allow me to sync with multiple users. Does anyone have a good method for syncing a Core Data app with multiple users?
Ensembles and TiCoreDataSync might work. They can use Dropbox file syncing, so in principle they should work with Dropbox shared folders. I don't think these are the main intended uses, so I suggest contacting the developers and/or doing some good testing yourself before assuming this would actually work.
You'll need to think about the user experience, though. At a minimum, your users would both need Dropbox accounts and would have to set up a shared folder before beginning to sync data this way.
Parcelkit probably won't work. It uses Dropbox's data store API which, unlike other Dropbox services, doesn't appear to support shared data.
Services that do support this kind of sharing exist-- for example, Parse and Firebase-- but make sure to review their pricing carefully before using them. Also of course, there have been any number of projects that have their own custom server back end, but that obviously requires having someone on the team who can do that kind of work.
You need to think about other device types (Android at least) if you want your application to be reaching more users.
I'm doing the same now by the following way:
Setup an online database with proper web services (careful with implementation for security matters - DB should NEVER be exposed by anything other than the web services).
Create a Class for your communication with the server (using Class methods with security handling like authentication and authorisation).
Use the class in your app to communicate with the server (SQL operations are done on the server).
To integrate with CoreData you need to create the model in your app similar to the structure in the backend database. Then you need to create a similar class for the app that deals with only local CoreData.
A higher level class might be required if you want to make sure that operations done on both server and local data storage.
Besides, you have to implement a lot of conditions to make sure that data written in local ONLY after making sure that it is stored online (or create an engine for differed operations to run later).
Another Way if you are familiar with notifications:
Use structured notifications between devices for data operations in order to keep everything in sync with other users. The problem with this is the "Autonomy" of the operations. If two operations were done in approximately the same time, you have to find a way to make sure the order of the operations is done properly (maybe timestamp or something).
I'm looking into the same thing for my app and I 'think' you can do a fairly unsecured version of what you are after using using the public folder in cloud kit as mentioned in this question (no accepted answer at time of posting) : Private data sharing using CloudKit
You would need to find a way to differentiate between data that is truly public and those shared among the users you need and some level of authentication.
I'm going to try exporting a permission file with access permission in it to whomever I want to share with combined with a unique identifier located in that permission file.
Keep in mind, as mentioned in the comments of the linked answer, my implementation will be security by obscurity (thanks for that phrase) unless you find a way of adding proper validation to it but my data is relatively insensitive.
Hope this, or any ridicule in the comments, points you in the right direction : )
I'd like to build a Backbone/Rails Journal App that supports many Users.
How would you persist a journal Entry for a given User, while respecting that User's privacy (the User can store sensitive info in that Entry)? I was thinking of using something like BCrypt, but that wouldn't work since you can't invert the process. Any thoughts?
In this case, I'm trying to keep the app as lightweight as possible, so answers that don't rely on external libraries would be preferred (not sure if that's an unreasonable requirement though).
If you trust the server to send you encryption code, you trust it with the way it handles your data. That's mostly the issue with client-side encryption.
If the user doesn't know how to use their own encryption tools, then they're trusting you with the tools you send them.
That said, if you're still pretty gung-ho about it, maybe consider a web-based version of PGP: https://webpg.org/