I am creating an app that would allow people to share sensitive info with each other via the iphone sms app. I want to make use of the security framework that apple provides, using keys that the people sharing that data know before hand to encrypt and decrypt strings. I don't have much knowledge about the whole keychain system on iOS devices or security protocols in general so does anyone know any good resources for learning about this stuff?
Try
http://useyourloaf.com/blog/2010/3/29/simple-iphone-keychain-access.html
http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code
http://dev-metal.blogspot.com/2010/08/howto-use-keychain-in-iphone-sdk-to.html
Related
I'm making a program that has a feature to sign in using ONLY! A user fingerprint image from iPhone and matches it among various fingerprint images in the database, so if there is any possible way to get fingerprint image from the user in iPhone?
(basically, I want to make iPhone works as a fingerprint scanner).
Many thanks.
No, absolutely not possible. It's against the Apple policy and I would say even their core values. And it is understandable as it would potentially be a very dangerous capability.
From the Apple documentation on TouchID:
To maximize security, your app never gains access to any of the underlying authentication data.
But you can use the provided authentification API (e.g., to safeguard a given sensible operation).
Short answer: API only tells if the fingerprint matches or not, not more than that.
I doubt there is a way due to privacy concerns, not even developers should be supposed to have access to it. Even if that was allowed, security measures should be taken such as having it hashed.
I am wondering what is considered the most secure way of two apps exchanging data within Cocoa Touch env.
I am very much new in iOS development and swift development and I am just looking to explore another part of the OS capabilities.
I read about App Groups sharing a location (directory) where files can be exchanged but also about URL schemas between apps to share data.
Are there any other ways of inter-app data exchange? And which is considered the most secure one?
It depends on what you consider secure, but the iOS Keychain may fit your needs. The iOS Keychain is password protected and can be accessed by other applications that you authorize.
Take a look at the official Keychain Services Programming Guide and this article explain how it works.
I'm creating a banking application for iOS that is transferring sensitive encrypted data from an azure mobile backend to an iOS device. What is the best way to go about decrypting this data on an iOS device securely? What protocols should be used? What third party libraries / services? Are there standards for financial applications that I should be aware of?
I've heard things thrown around such as EKS encryption with SQL, SSL, RSA / Diffie Hellman encryption, AES-128 being a standard practice etc etc. Is there anything practical to implement without delving into low level C code?
SSL works for data in transit, Pin the certificate.
AES128 is fine for data at rest but the key must be good and secured.
On iOS put the key Keychain, there is no more secure method.
If you need to store a key on a server that is more of a problem keeping it secure.
Finally at a minimum use two factor authentication on the server.
My solution ended up being to use AESCrypt (github: https://github.com/Gurpartap/AESCrypt-ObjC)
This proved to be as simple as dragging the class files into XCode and calling
[AESCrypt encrypt:secret password:password];
[AESCrypt decrypt:secret password:password];
Thanks for the help! I will probably end up implementing some sort of CocoaPods supported platform later on, but this will work for now.
I need to develop some simple demonstration of an application reading a file over HTTPS and saving it to the local memory (internal or external) of an iOS device (e.g., an iPhone), in a way that it is only accessible to it. So, application-specific file encryption is required.
The "Advanced App Tricks" page of the Apple iOS Developer Library, in the "Protecting Data Using On-Disk Encryption" section, seems to imply that a file encrypted on disk, via either Default (i.e., iOS filesystem) or "Complete" Data Protection, would be accessible by all applications, after the user types the device's lock code.
If that is the case, could someone please suggest the best way of implementing file encryption per-application on an iOS device, with a password request when a user tries to open the file? Any sample code would also be very helpful.
Also, does "software encryption" apply to iOS anymore? Both Default and Data Protection encryption seem to be hardware-based.
Thanks!
Application files are not accessible between Apps. Each App is individually sandboxed.
In all cases the document is talking about the access available to "Your App"/ It is never accessible to another App. But see below. Sone of the protection options help cover what and when "Your App" has access to the file when in the background.
JailBroken iOS devices will have greater file system access so adding "Data Protection" will protect from this vector.
See the document session on The iOS Environment and particularly the section "The App Sandbox" iOS Environment
Hardware encryption: There are a few things that hardware encryption provide. 1. Speed. 2. The encryption method can not be changed, that is as with software encryption there is no code that could be compromised. 3. The key can not be accessed. The key is in some manner placed/created in the hardware and the hardware will does not allow read access (there are occasionally very secure export capabilities). The device is asked to perform crypto functions on data and returns data. Examples of this are smart cards, HSMs, TPMs and TPM Equivalents, the iPhone has a TPM Equivalent and that is used for the Keychain. By chance my wife and I were discussing this very topic yesterday. :-)
As far as I know, for encryption of bulk data, iOS does use special hardware instructions to aid AES encryption for speed but that would not be considered hardware encryption due to the key being available in software. There is a little guessing here due to the lack of information about the Apple A-series ARM chips, it is true of the Intel chips in Macs.
The client is concerned about safety of the data application uses and stores locally on device (e.g. they want to prevent reading our data files even on jailbroken iPhones). So I wonder - what are the possible ways to ensure data safety on iPhone?
Edit:
I'm thinking about 2 ways of storing data - a bunch of xml files (maximum size - about 1MB) or sqlite database. I'm more inclined to the 2nd variant but still not sure
You might want to check out this article - Protecting resources in iPhone and iPad apps. It talks about a scheme to encrypt app resources at build time, which can then be decrypted when needed by your app. Decryption happens in-memory so unprotected temporary files are not left on the filesystem. You can even load encrypted HTML, PDF & images straight into a UIWebView.
For transparency's sake: I wrote that article and it is hosted on my own website.
Any time code is running on physical hardware that's out of your control, it is vulnerable - the iPhone must have the ability to decode the data for it to be usable, and if the iPhone has that ability, so does the user. If the data is valuable enough, someone will break your encryption.
The movie industry spent millions on their DVD DRM. It got cracked in a few weeks.
The commoncrypto library, available on the phone, supports symmetric encryption. You can store the key in the keychain, which is itself asymmetrically encrypted. The key to decrypt the keychain is baked into the hardware so you'd need to go to some lengths to retrieve the data.
(e.g. they want to prevent reading our data files even on jailbroken iPhones). you may use localytics mobile analytics(open source) to find out whether the application has been used in Jail broken iphone or not.. They have premium options also..Lot of mobile analytics are available.you can check..