In researching how iOS devices (iPhone/iPad/iPodTouch) are protected via encrypted I came across many articles that mentioned if a device was "jailbroken" then the built in encryption of the iOS device was essential null and void. That by jailbreaking, the default encryption could be bypassed.
Assuming this is true is there anyway to enable the encryption features of an iOS device while maintaining a Jailbreak? There are a lot of tweaks I really make use of a lot (SBSettings) and I would hate to have to give them up in order to maintain security on iOS.
Jailbreaking removes the requirement for apps to be digitally signed. Anything will run now - so yeah you need to be careful what you load on there.
It's not an encryption issue thou.
Related
I want to prevent installation of my iOS app in jail broken devices. Is there any checks that can be done during installation to identitfy if the device is jail broken ? Is there any way to stop the installation if the device is jail broken?
Generally, it break down to two questions:
1) Detection of a jailbreak device.
There are plenty of different methods. None of them is 100% guaranteed to work.
Look at this question:
How do I detect that an iOS app is running on a jailbroken phone?
2) Taking some actions on a jailbroken device
As #Paulw11 mentioned, you can't stop installation and you can't uninstall.
The common way is just exit from your application (don't provide any useful functionality to a user). However, if your application have very high value, this protection can be removed by somebody who will reverse engineer your application.
Generally speaking, there is no bulletproof protection, but you can make it good enough, so it won't be worthwhile breaking it.
My clients use my app in their private devices which are not under any MDM-control or under control of a foreign company. I want to make sure that my app can only be executed when some requirements are met like:
device is not jailbroken
device-password is set
At the end I want to make sure that no data is leaked, when the app is installed on private devices.
Is it necessary to install a client like mobile iron? If I can install a mdm-profile, this must only guarantee the required conditions for my app.
How do I archive this goal?
iOS MDM management will enable you to tell if a managed device has a passcode set; I don't think there is any other way (short of jail-breaking) to detect this.
Your own application can attempt to do jailbreak detection; Apple's MDM by itself cannot do jail-break detection.
Someone has already asked a similar question about detecting a jailbroken device: Determining if an iPhone is Jail broken Programatically. There are also some answers to a question about checking if a password is set but I don't think the code in the answers covers this for you. You might want to check it out though.
You need to be aware that fighting these device compromises is an ongoing battle. There may be a point where the code you have written is ineffective at determining a jailbroken device. This means that you cannot promise that your app will not run on jailbroken devices unless you are planning on tracking all of the techniques in the wild, and releasing new versions to keep up with the threat.
I'm a real noob to encryption. After breaking my head over this for a couple of days i've decided to search for help on StackOverflow.
Currently I'm developing mobile applications for iOS, Android and Windows Phone. In the application i need to request data from a server with an encrypted url. Because the application has to be for iOS, Android and Windows Phone i need to use an encryption that works on each platform. I've decided to use AES encryption with a key and an iv.
I've gotten the AES encryption to work for Windows Phone, but am really stuck on iOS. I've searched the web for a good example but haven't found anything that explained the whole proces. Could anyone help me by giving me an example (with explanation) or a good URL?
Would really appreciate the help!
Edit:
I know I want to generate an AES key based on a key and an iv. With the aes key i want to encrypt my password. The exact question is how i would do that in code.
I have used openssl for encryption between devices and platforms. There is quite of bit of documentation available and I'm pretty sure it will work for what you need.
There are also several wrappers available on github too to make encrypt/decrypting a bit easier.
OpenSSL
I've ended up using AES. This Encryption type is available for Android, iOS and Windows Phone.
For iOS and Android there are plugins available on internet to make the work easier for you. Just search for {platformname} AES and you should get enough websites.
is it required to sign the blackberry application before installing it to the device ? , only for testing purpose while developing not for market release.
If you are installing it on to a physical device AND you use the protected APIS (which is pretty much any not J2me only classes) you do need to sign the applications.
Yes even for development.
Getting a signing key practically free and the process is very simple and you don't need to go through an approval process. I would HIGHLY recommend you get a signing cert even if your application currently doesn't need one (but since you are asking I assume it does)
Is there a way to limit devices, i.e. iPhone 3G and higher, and not to support the iPhone 2G and lower. I can't find an element that is different. I would limit it to iOS 3.1, however I'm pretty sure that iPhone 2G and lower can run iOS 3.1.
There is a similar question about 3GS+. But 3G+? That might be tough. I don't see anything in the UIRequiredDeviceCapabilities that specifies the 3G radio. You could try using another key based on a hardware feature that the 3G has that the iPhone doesn't, but then you risk getting your build rejected by Apple.
Using run-time checks to detect hardware as Sam Ritchie also suggests is also a bad idea since (1) that will most certainly trigger a rejection, and if it doesn't (2) people with older devices will be able to purchase the app, only to find out it won't run, and they will complain, which will cause Apple to pull your app from sale anyway.
The only way to do it without resorting to things that Apple disallows is to target iOS 4.0 or higher. 4.0 does not run on the 1st generation. I realize you want to target iOS 3.1, but you either allow all devices, or target 4.0.
One nice way to do this would be to check out the UIDevice-Extension project on github. It gives you the ability to detect what hardware you're running on.
I suspect that the way to solve this would be to examine your app and figure out what exactly you don't want a user of an earlier phone to be able to access. Once you've narrows down the feature, you can easily check for the existence of that specific feature on the device. To do this, include the UIDeviceRequiredCapabilities key in Info.plist, and take a look at Apple's Build Time Configuration guide for a list of all possible values. You'll find it under the "Declaring the Required Device Capabilities" heading. Good luck!
Add some minimal Location based functionality to your app (so that Apple can't reject it), and then add the "gps" key to your app's UIRequiredDeviceCapabilities.
But consider that the percentage of 2G's users who actually still buy apps appears to currently be microscopic, and not worth bothering over. Just state the lack of support for these devices in your description.
This answer seems to answer your question:
https://stackoverflow.com/a/4128248/285694
The solution is to require "armv7" in the required device capabilities xml.