How to protect sqlite db in your core-data iPhone app?

Question

Hi All,

I have a Core Data-based iPhone app with a pre-populated read-only database. What protection (if any) can I apply to my database to reduce the likelihood of piracy / the database being read off a jail-broken iPhone?

Most code examples for using a pre-populated sqlite database show the database being copied from the app bundle into the app's documents directory on the iPhone and this is completely visible on a jail-broken iPhone. Instead, I thought about using the database directly from the app bundle as follows:

- (NSPersistentStoreCoordinator *)persistentStoreCoordinator {

    if (persistentStoreCoordinator != nil) {
        return persistentStoreCoordinator;
    }

    NSURL *storeUrl = [NSURL fileURLWithPath: 
        [[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:
             @"MyDatabaseName.sqlite"]];

    <... followed by standard persistentStoreCoordinator code ...>

When I put a breakpoint on the store url this returns just another file location which I'm guessing is just as visible as the documents directory in a jail-broken iPhone:

<CFURL 0x139610 [0x38388ff4]>{type = 15, string = file://localhost/var/mobile/Applications/6ACD76F0-396D-4DB1-A46B-B2459A084063/MyiPhoneApp.app/MyDatabaseName.sqlite, base = (null)}

Can someone please confirm if above is correct and/or if there are other ways to address this issue (I'm not looking to encrypt or anything like that ... hoping for a quick protect solution) ? Appreciate a determined hacker will get what they want -- I want to at least put up some resistance if I can.

Thanks

Answer 1

First, yes you can store a read-only database inside of your app bundle and access it directly from there.

Second, the only way to protect the data is to keep it encrypted on disk and unencrypted in memory. This cannot easily be done using Core Data in its current form. What you can do is to encrypt certain columns of the database and decrypt them only in memory. This is accomplished by storing the columns as binary data but that also means you cannot do any searches on those columns.

Update

Even trying to avoid Jailbroken phones (which is not a 100% guarantee that the person is a criminal. Keep in mind that developers frequently jailbreak their phones for honest reasons). will not protect your data. The data is sitting inside of a zip file on their desktop computer and is accessible without ever being run or touching a CocoaTouch device.

If the data is that private then you need to put it on a webservice and never store it on the device. Anything on the device (or any device for that matter) is accessible and subject to reverse engineering.