Is there a way to secure files downloaded within an app to prevent them from being accessed by the user via a jail broken device, or something like iExplorer when the device is plugged into a computer ?
I'm primarily thinking of things like PDF files, and have considered encrypting them in someway and then storing the data in an sqlite database. The other thing I've looked into is 'NSDataWritingFileProtectionComplete' but that only seems to encrypt data when the phone is locked.
Any suggestions more than welcome. Thanks.
You could use the CCCrypt library to encrypt your data.
These links should guide you in the right direction:
http://aptogo.co.uk/2010/07/protecting-resources/
http://www.raywenderlich.com/6475/basic-security-in-ios-5-tutorial-part-1
If it's just PDF files, the easiest way to secure them is to password-protect the files. Your app can use the password to open them, but people who grab the files from the device won't be able to.
Related
I've been googling around on how to store a password, and most of the people say that the only acceptable option is Keychain. I implemented that kind of approach, due to rush. But now I am curious what is that obvious thing to not store passwords in NSUserDefaults and is it ok to store password in CoreData?
So far I understood that NSUserDefaults are stored as a plain text in plist file. But how may one access this file? I've read that it is possible to do with the help of a lightning cable and an itunes, but didn't find how to do that.
Thanks in advance!
Data you store using NSUSerDefault are getting saved in simple plist -in binary format without any encryption. there are many tricks to read these data or modify these data.
Jailbreak users can use iFile to view or modify plist files. Non-Jailbreak users can use other software like iExplore - iFunBox to do this. This software allows users to explore the iOS filesystem without having phone jailbroken
Long story short -- anyone can see or modify data in NSUserDefault. So if you don't want to share your detail publicly, you should never store them in NSUserDefault.
The problem in here is Jailbroken device, while the device is Jailbroken, it will allow other app/tweak to intercept with the sandbox files inside the app, thus can search/read the .plist file in there, atleast thats what i know of
I have an iOS app which keeps sync with a database of PDF documents via a RESTful web service. Basically, the app downloads a few PDF's which I am storing to the file system in my app.
I am using the Library/Caches directory.
NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES)
My requirement is to store the files such that the user cannot gain access to them in any way. When I write the file, I am also providing the option: NSDataWritingFileProtectionComplete
[decodedFile writeToFile:newFilePath options:NSDataWritingFileProtectionComplete error:nil];
However, I am still able to access the files through Devices -> Select My App -> Download Container...
I need to configure the app such that the downloaded content cannot be accessed by anything but the app itself. There must be a way to do this, but I have been unable to find anything...?
This is not a solvable problem. If this were a solvable problem, then it would be trivial for Apple to prevent Jailbreaking. They would just write a system validation key in whatever place the user cannot possibly access. The fact that Jailbreaking is possible despite Apple controlling every part of the ecosystem should put in perspective your chances of protecting data that you've written to a user's device from that user.
This has been discussed several times, including thoughts on what you actually can do and what's worth doing (nothing is going to be 100%; nothing is even going to be 90%). You can look over the previous incarnations of this question for more. Secure https encryption for iPhone app to webpage is a good place to start, since it includes links to several of the others.
I wrote an iphone app that as a first function allows the user to download files. The user then manipulates these files in a particular way that wants them to be in memory.
It's not necessary that all of the files the user gets are in memory, just a few at a time that are well within memory constraints. However, the option to download the rest later is not available because of location assumptions (mainly that there is no assumption the user will be within wifi or data reception).
Is there a way around this? One example would be to have some sort of permanent write that I could access. Is that how the file storage apps solve this?
Thanks.
Could you use a server to do the manipulation instead of the app? iphone app sends the link to the server, server does the manipulation, and the the iphone downloads the manipulated link.
We develop several apps/games. We store/retrive data from plist.
But in Jailbroken devices plist files are editable through several
tools.
I have searched got the followings #
How to secure plist or NSUserDefaults
http://useyourloaf.com/blog/2010/03/29/simple-iphone-keychain-access.html
https://github.com/matthiasplappert/Secure-NSUserDefaults
Those tutorials tells how to prevent you plists from being changed.
But we don't want to let the users (harmful users) to show any data.
Is there any way?
The main question is who are you protecting it from?
1) If you want to protect your plist from prying eyes of unsophisticated user (just and average guy with some tool), all you need is to encrypt plist (even hardoded key should be enough)
2) If you want to protect to protect it from a hacker who has an access to the phone then you will have to do a lot of actions - you need a passcode, this passcode should be long, it should be hashed with salt and this should be used (directly or indirectly) as a key for protection. This way, a hacker without knowledge of password won't be able to get to your plist.
3) If you are trying to protect from malware, which is specifically designed to get a data from your running app - you are screwed. Since, jail is broken on Jailbroken devies, malware can literally do anything and it will be always able to copy your plist out of memory when your application will decrypt it.
I have encrypted files downloaded and available for offline view in a folder, I would like to know:
how to open them in the appropriate reader as these are ms office docs and prezi format
I suppose they will have to be unencrypted so that reader can read them but in this case how to ensure security?
which folder to use to avoid iCloud sync, I already read this Disable iCloud sync
Does iOS protects documents of the application by encryption based on app key as I read it or am I wrong?
Speaking extemporaneously, as thoughts occur, Sven is right about UIDocumentInteractionController and that objects are identified by URL.
However, it's possible you don't need to unencrypt your files on disk for this to work. You can probably write your own little URL protocol (subclass NSURLProtocol and implement methods appropriately; you should end up checking that URLs are within the invented scheme you've created — e.g. myApplicationEncrypted:// — then posting data packets to a NSURLProtocolClient) and register it with the device via NSURLProtocol +registerClass.
You'll obviously need to decrypt between disk and protocol client. So you'll be passing unencrypted data on — you'll need to make a trust judgment on UIDocumentInteractionController.
The document interaction controller is documented to work within your app, so there shouldn't be sandbox concerns.
You can send your documents to other apps using an UIDocumentInteractionController object. You initialize it with a file URL pointing to your document and then use one of it’s methods to present it.
This takes care of displaying a preview (if possible) and letting the user select the application the document should be opened in.
The document has to be decrypted for this to work. You then cannot make any guarantees about the security of your file - once it is handed over to another application it is out of your control.
If your app doesn’t explicitly opt-in to use iCloud sync your data will not be synced with iCloud. What will be sent to iCloud are backups of the whole device though (if enabled). There are ways to disable this for single files as you already read in the question you linked.
The iOS file protection is based on a device key, not on a per app key. This also is not necessary because apps are protected from each other by the sandbox, unless your phone is jailbroken. On a jailbroken phone there are no security guarantees.