I am building an application which is talking to my .Net WebService. Application is transmitting some sensitive client information to my WebService which I want to encrypt before I wrap it in the SOAP Envelop. And web service will decrypt it on the other side before using it.
Can someone suggest me how to achieve this. I know .Net has some security which allow you to do some authentication and encryption but I dont want to go to that path at this stage, as I want to make data secure going to and from the iOS device to my webservice.
If any tutorial or example exists please let me know as this is first time I am using encryption decryption.
AES is available on pretty much every platform. What you have to do is to make sure that everything else is the same on both platforms:
1.The same mode; use either CBC or CTR mode.
2.The same IV; set it explicitly, don't use the default because it will often be different on different systems.
3.The same key; obvious, but they need to be the same at the byte level because text can be encoded differently on different systems. Explicitly state the encoding you are using.
4.The same padding; for AES use PKCS7, again don't rely on the default which may be different on different systems.
Whatever you chose do set things explicitly and don't rely on defaults. Defaults can differ between systems and any difference will cause decryption to fail.
Use an HTTPS connection. This will encrypt your entire connection, and it's trivial to use and built in to both the iPhone and .NET.
Related
I am developing an App which will download some images from a server and save it on user's device. But what I am really concerned about is that these images should not be easily accessible by other apps or THE USER.
One approach could be that my App encrypts the images and saves them in the documents directory and decrypts them when required, but I think that it would make loading the images into UIImageView considerably slow.
There are many games which don't include large resources into their App-bundle to keep the App-size small and download the heavy resources later.
Where exactly do they save those resources?
And how do they secure them from being copied very easily from the directory where they are stored?
Probably because of trying to secure the files from the user the best option is to encrypt them with AES and saving them in the user area, Documents or Library directory or subdirectory thereof.
You are better off using Common Crypto. If RNCryptor suits you needs use it, it uses Common Crypto under the hood. Otherwise there is plenty of sample code for encrypting using Common Crypto here on SO.
Key the key should be random bytes as is the iv, save the key in the Keychain. Use AES in CBC mode with PKCS7 padding.
If you really want good security hire a cryptographic domain expert, the overall security is not trivial to get right. Don't forget the server and at a minimum use two factor authentication to it.
The decryption time should not be a problem, much faster that coming from a server.
I'm new to iOS development and working on a small iOS mobile app that stores sensitive information of users. Initially I thought of using custom AES encryption to encrypt/decrypt all the data. I also want the encrypted data to be synced with iCloud. After reading more I came to know from iPhone 3GS each device has a built-in AES-256 crypto engine. From the XCode, I observed that I can turn on an option called "Data Protection" for the mobile app to secure data. Based on my analysis I've below questions:
To use data protection for iPhone 3GS (uses iOS 6.1) do I need to set passcode?
Without setting passcode for the device how can I use the built-in crypto engine to encrypt my data?
The information are very sensitive and so in this case do I need to implement custom encryption?
RNCryptor is very useful, but it's basically just a wrapper for Apple's own CommonCrypto functionality (that makes implementing it pretty easy). It's useful if you want to encrypt data on the device that even the user cannot get ahold of.
Regarding your specific questions:
Data protection encrypts your app data using Apple's device-level encryption (you do not password protect it yourself). This has its uses - it will keep a 3rd party from being able to access data on a device if they are unable to unlock it - but does not prevent (for example) a user from getting access to data on their an unlocked device. Using RNCryptor and CommonCrypto which it is built upon you can AES256 encrypt content using a password of your choosing.
Apple details this here. Basically, from the end user's perspective they just set a password for their device as normal. You do not use a password of your own choosing.
You can set this up for your app using the following instructions:
https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html#//apple_ref/doc/uid/TP40012582-CH26-SW30
This depends on how sensitive the data is and what threats you foresee (Who are you trying to keep it away from? Are there any laws/regulations you intend to comply with? How much work do you want to take upon yourself to protect this data?). There are a lot of trade-offs and caveats that can apply in certain situations.
If you have a small amount of data, you might consider just storing it in the iOS keychain. Otherwise, I'd recommend giving RNCryptor a try. It's fairly easy to integrate.
I hope this helps.
UPDATE: Another thing to consider... There are potential export control ramifications that might come up if you implement your own encryption, even using RNCryptor/CommonCrypto. Depending on how much paperwork and/or delay you're willing to deal with, this may influence your decision. You can learn more about this from Apple's site, here:
https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/wo/20.0.0.13.7.2.7.9.3.1.2.3.3.1.5.7.1
This really depends on how many scenarios you are trying to protect against. Pretty much any scenario you can possibly create will be broken given enough time and effort. However to address a few points:
1) Yes you need to set a passcode for this feature to become active.
2) You can make use of the CommonCrypto library (or a wrapper around it like RNCryptor)
3) This is a bad idea for the simple reason that developing a secure algorithm is insanely hard. The slightest flaw will leak out all of the data and people have devoted years of their lives to sniffing out these flaws (although I may have misunderstood what you meant by "custom encryption")
If you want to be as secure as possible you will have to do this: Send your file to a server for processing (via HTTPS). It is much harder to hack into a server then it is to hack into an iOS application. If you simply use RNCryptor it is pretty trivial to rip apart the app looking for the password, or how you obtain the password. Basically if the app can do it then BlackHat can do it too.
EDIT I forgot about one thing! If you generate a random password for each install and store it in the keychain then this will help, but it is not foolproof (There is a small chance that the iOS keychain contents can be retrieved from a jailbroken device, especially if the user has a week passcode). However this will make the user's data non-recoverable if they wipe the OS for any reason.
very very very simple : https://github.com/RNCryptor/RNCryptor
I was used it for a chat application it so good.
I'm building an iOS app but my app binary shows all my NSStrings that I've. Is there a way to encrypt it ?
I want to hide all my NSStrings from my app binary file.
You would not be able to encrypt your app binary in an secure way. You would at least need to pass the key next to the application bundle so the operating system would be able to encrypt the application before running it. And when you pass the key next to the application somebody interested in your application would be able to decrypt it too. So encrypting the whole binary file would be useless.
Do you ship passwords or API keys with your app bundle?
The best deal would be to redesign your application so such stuff isn't needed. You could try to prevent user from reading them directly out of your binary file, but they would always be able to get them. A couple of very smart guys have already tried that and failed, so don't waste your time trying to be better then them. So don't ship passwords or API keys!
If you still want to ship sensitive data in your binary:
You could give the following a try:
NSString *encryptedSensitiveString = #"mysensitivdatapreviosulyencpryted"; // <- this will be stored in your binary since it's a constant string
NSString *sensitiveString = [someHiddenKey decryptString:encryptedSensitiveString];
// Now you can use your sensitive string which is decrypted at runtime
If you are looking for some cryptography library for Objective-C you can use MIHCrypto framework based on OpenSSL.
As someone already stated, building or decrypting the strings dynamically is one choice.
Another is to use a 3rd party app protection system, like Arxan. I have never personally used it so can't really recommend it, but it does all sorts of obfuscation to prevent users from peeking into your app.
I am developing an app that stores PDF files. These files should be stored secure, i. e. encrypted. I also found some libraries that extend NSData with AES en/decryption. But then I read, that iOS supports hardware encryption via AES. Is the NSData library really necessary if they both provide AES256 encryption?
If there are differences, which way is more secure? Also.. how do I activate the hardware encryption? Or is this a global setting that applies to all apps? I guess that the files become decrypted after the device is unlocked? So if someone cracks my phone he has also access to the decrypted files? But if I do the encryption by myself and connect the decryption with a SHA hashed password that is stored in the keychain the files might still be inaccessible?
Edit:
Did I get it all wrong and my library (AQToolkit) is just some kind of API for the built-in hardware encryption and I am basically talking about the same thing?
I heartily recommend RNCryptor, which uses Apple's own Security.framework guaranteeing hardware encryption/decryption if possible. It's incredibly easy to use in the default case (AES-256 with 10k iterations of PBKDF2). It's not an encryption library per se, but rather an Obj-C packaging of the open source Common Crypto C library. Check it out.
I want to encrypt a parameter(which consist of sensitive data) while sending to server(WCF Service) using SHA1 algorithm, On server end I'll decrypt the string and use it.
This way i can ensure any third party won't read my sensitive data so easily.
How do I encrypt the string in windows phone 7 using SHA1 algorithm and decrypt the same in my WCF service.
Encrypted string may come to server from iPhone, android or WP7; How do I ensure that every client will produce the same result in server.
Update:
Can I use AES algorithm for above requirement?
How do I encrypt the string in windows phone 7 using SHA1 algorithm and decrypt the same
You don't. SHA-1 is a hashing algorithm. It's one way - you can't "decrypt" it. You should choose a symmetric or public/private key algorithm based on your requirements. Read the .NET cryptographic services documentation as a starting point - I'd expect pretty much any of the algorithms supported by .NET to also be supported on other platforms.
Alternatively, just use HTTPS instead of HTTP... that would satisfy your initial highlighted requirement without you having to do much work at all (beyond the server-side deployment of appropriate HTTPS certs).
Agree with Jon's post but with additional thoughts.
I cannot comment yet (need more street cred) so I will post it here.
Your question does not state if you are transmitting this from a native app, or a browser (using an Ajaxian mechanism). But I will presume native. Really though the answer is the same with the difference being implementation.
The easiest approach IMO would be to use the tools and APIs to be a HTTPS (SSL/TLS) client which will give you over the wire confidentiality. The details of what quality of service the SSL connection provides is for you to configure from the "cipher suites") available. AES is available.