What are the common practices to protect data on iPhone - ios

The client is concerned about safety of the data application uses and stores locally on device (e.g. they want to prevent reading our data files even on jailbroken iPhones). So I wonder - what are the possible ways to ensure data safety on iPhone?
Edit:
I'm thinking about 2 ways of storing data - a bunch of xml files (maximum size - about 1MB) or sqlite database. I'm more inclined to the 2nd variant but still not sure

You might want to check out this article - Protecting resources in iPhone and iPad apps. It talks about a scheme to encrypt app resources at build time, which can then be decrypted when needed by your app. Decryption happens in-memory so unprotected temporary files are not left on the filesystem. You can even load encrypted HTML, PDF & images straight into a UIWebView.
For transparency's sake: I wrote that article and it is hosted on my own website.

Any time code is running on physical hardware that's out of your control, it is vulnerable - the iPhone must have the ability to decode the data for it to be usable, and if the iPhone has that ability, so does the user. If the data is valuable enough, someone will break your encryption.
The movie industry spent millions on their DVD DRM. It got cracked in a few weeks.

The commoncrypto library, available on the phone, supports symmetric encryption. You can store the key in the keychain, which is itself asymmetrically encrypted. The key to decrypt the keychain is baked into the hardware so you'd need to go to some lengths to retrieve the data.

(e.g. they want to prevent reading our data files even on jailbroken iPhones). you may use localytics mobile analytics(open source) to find out whether the application has been used in Jail broken iphone or not.. They have premium options also..Lot of mobile analytics are available.you can check..

Related

PWA on IOS and offline storage

We looking to develop an "App" which would have the ability to record the details of a damaged car for assessors. The idea is that a small number of assessors would have company iPads. Then when car is damaged and returned to the car yard they can visit take photos, enter some details and then upload them into the main system later. Some of the car yards may be in areas that do not have internet coverage, so offline capability is required.
Our initial thoughts were to develop an IOS App for installation on a small number of company iPads. The App could access the camera to take photos and then when the device has internet access upload the photos to the main system. However this solution could prove too costly (regarding development costs) for the customer.
I have read about PWAs and caching data, but the caching seems to be for offline read access.
If we installed chrome on an iPad and then installed a PWA then presumably
The PWA could store pictures up to 128GB * 6% = 7.68GB?
If stored using the File System API then (as long as there is plenty
of space on the system) the data will be persisted (my understanding is there is no time limit)? Or would a different type of storage be more suitable.
The offline data is obviously important (may be required in court) so are there any other concerns around persistence & stability before the images are uploaded to the main system?
Note we would prefer to use iPads (as the customer would prefer these) but we could consider other platforms.
At this stage I am really trying to find out if a PWA accessing the offline storage is likely to be feasible, practical and stable on the platform?
Firstly, iOS restricts third party web browsers (or any app that displays web pages) to using its own engine - installing Chrome on an iPad will not enable access to any web APIs that iOS/Safari doesn't already support.
So in particular:
File System API is not available on iOS, even if you're using Chrome
Cache API has a storage limitation per website of 50MB
IndexedDB has a storage limitation per website of 500MB or half the device's free space (whichever is smaller)
PWAs and their cached data are automatically wiped from devices if not used for a few weeks
the "navigator.storage" API for requiring durable data is not support on iOS, even if you're using Chrome or Firefox.
My first thought would be that if you are only going to support iPads and indefinite offline storage is a requirement, you are probably best of with a native application. Keep in mind that for this kind of application you would need the Apple Enterprise Program, which is more expensive than the regular Developer Program.
However, if you do want to use a PWA, your best bet for local storage would be the IndexedDB. As per the comment by skybondsor, browsers do indeed limit and possibly evict data after a while, according to ADM webdocs.
But reading your question, I get the sense that you do not really need persistent local storage, but rather a method ensuring that your data will eventually end up on the server. You can accomplish this by exploiting the Background Sync methodology. This allows your application to delay the upload to when a stable internet connection is available.

Application-specific file encryption in iOS

I need to develop some simple demonstration of an application reading a file over HTTPS and saving it to the local memory (internal or external) of an iOS device (e.g., an iPhone), in a way that it is only accessible to it. So, application-specific file encryption is required.
The "Advanced App Tricks" page of the Apple iOS Developer Library, in the "Protecting Data Using On-Disk Encryption" section, seems to imply that a file encrypted on disk, via either Default (i.e., iOS filesystem) or "Complete" Data Protection, would be accessible by all applications, after the user types the device's lock code.
If that is the case, could someone please suggest the best way of implementing file encryption per-application on an iOS device, with a password request when a user tries to open the file? Any sample code would also be very helpful.
Also, does "software encryption" apply to iOS anymore? Both Default and Data Protection encryption seem to be hardware-based.
Thanks!
Application files are not accessible between Apps. Each App is individually sandboxed.
In all cases the document is talking about the access available to "Your App"/ It is never accessible to another App. But see below. Sone of the protection options help cover what and when "Your App" has access to the file when in the background.
JailBroken iOS devices will have greater file system access so adding "Data Protection" will protect from this vector.
See the document session on The iOS Environment and particularly the section "The App Sandbox" iOS Environment
Hardware encryption: There are a few things that hardware encryption provide. 1. Speed. 2. The encryption method can not be changed, that is as with software encryption there is no code that could be compromised. 3. The key can not be accessed. The key is in some manner placed/created in the hardware and the hardware will does not allow read access (there are occasionally very secure export capabilities). The device is asked to perform crypto functions on data and returns data. Examples of this are smart cards, HSMs, TPMs and TPM Equivalents, the iPhone has a TPM Equivalent and that is used for the Keychain. By chance my wife and I were discussing this very topic yesterday. :-)
As far as I know, for encryption of bulk data, iOS does use special hardware instructions to aid AES encryption for speed but that would not be considered hardware encryption due to the key being available in software. There is a little guessing here due to the lack of information about the Apple A-series ARM chips, it is true of the Intel chips in Macs.

Need to encrypt Core Data

I am making an iOS application where all data stored in Core Data needs to be encrypted when the app is not in use. I understand that newer iOS devices (and devices running iOS 4 +) have access to hardware encryption and special protection APIs, but to my understanding, these only apply when the device is locked. There is no guarantee that users of my app will have a password lock on their devices, yet I still need to encrypt.
Also, I would prefer not to encrypt every individual core data attribute by using transformable attributes, and I understand this makes querying much more difficult. Preferably, I would like to do something like encrypt the core data file on app-close, and un-encrypt it on app-open (I know this might be slower).
Any solutions?

is localStorage on iPad Safari guaranteed to be persistent?

I've seen differences of opinion across the web on this. It has been said that starting with iOS 5.1, local data storage for HTML5 content on the iPad is no longer guaranteed to be persistent, however on Apple's current Safari developer pages (https://developer.apple.com/technologies/safari/html5.html), offline persistence is suggested to be guaranteed.
Does anyone have any recent experience with this subject and able to comment on how reliable the database features of HTML5 are with Safari on iPad?
This will probably be enough information:
The w3c spec of localStorage is:
The second storage mechanism (note: localStorage) is designed for storage that spans multiple windows, and lasts beyond the current session. In particular, Web applications may wish to store megabytes of user data, such as entire user-authored documents or a user's mailbox, on the client side for performance reasons.
And on the Apple page:
Safari supports the latest HTML5 offline data storage features. Your application can store its information on the local machine using either a simple key/value-based data store, or a robust SQL database. The data is stored locally and persists across launches of Safari so your application doesn’t need a network connection to access the data, improving startup time and overall performance.
And searching Google (and Yahoo! because of some anti-google freaks) gives me:
In iOS 5.1 Apple have moved the location of localStorage files into a Caches folder which is subject to occasional clean up, at the behest of the OS, typically if space is short. It is likely that Apple have done this to stop localStorage being backed up to iCloud.
localStorage not accessible in IOS-6 Safari
I am not able to access localStorage in Safari (IPad with IOS-6).
For example, the following code is working fine in Windows on all browsers and on (iPad with iOS-5) but not in iOS-6:
localStorage.setItem("var","5");
alert(localStorage.getItem("var"));
Answer:
I was able to fix the issue by turning off private browsing on the iPad. I came across the solution from the reference : https://github.com/cloudhead/less.js/issues/312#issuecomment-2994845
Yes, Apple cleans up localstorage when the device is low on storage space. (I actually tested this and confirm it with a certainty).

encrypting/ decrypting strings to text

I am creating an app that would allow people to share sensitive info with each other via the iphone sms app. I want to make use of the security framework that apple provides, using keys that the people sharing that data know before hand to encrypt and decrypt strings. I don't have much knowledge about the whole keychain system on iOS devices or security protocols in general so does anyone know any good resources for learning about this stuff?
Try
http://useyourloaf.com/blog/2010/3/29/simple-iphone-keychain-access.html
http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code
http://dev-metal.blogspot.com/2010/08/howto-use-keychain-in-iphone-sdk-to.html

Resources