CoreData Sqllite protection

views:

243

answers:

CoreData Sqllite protection

Hi Guys, I like to use CoreData and their entity model into my projects.

I need to know that how to store sqllite database into Iphone securely. As everybody knows when the Iphone broken with jailbreak it have file system navigatable, that mean for me, someone or somebody easly open or copy to another envorinment my sqllite db. How do i protect my db for these issues ?

Thank you

+1 A:

Answer in bold.

If they have jailbroken your iphone and have the will to steal data, they will probably have the ability to decrypt anything you put there; this is especially so if the data is of any value. To use encryption in this scenario your application will have to store the password somehow, unless you expect the user to enter this every time using the iphone keyboard -- which is a big no-no from a usability point of view. I suggest you rely on the access baricades and remote-wipe facility provided by apple.

If your a going to rely on apples 4-numeric pin as a password -- i.e., to balance useability.... well that only has 10,000 combinations.... not very secure.

However.... the simplest and the time-tested approach is to use a reversible encryption block-cypher in block-chained mode to encrypt the content of the sensitive columns, and to retrieve the password from the user every time the application is started.

-- edit : further discussion --

If I was expecting contents to be encrypted in a mobile way, I would expect the user of the contents to have a USB stick with the contents on it and a security hardened laptop/netbook with the something like truecrypt running on it.

Hassan Syed 2009-12-24 13:02:59

Hmm, I'm exactly talking about tousand of records like dictionary, i have to protect this data. So, how about the performance ? when i queired tousands of data i thing performance is going to poor, isn't it ?

fyasar 2009-12-24 13:15:28

And thank you for your quick answer Hassan

fyasar 2009-12-24 13:16:36

Yes, Firstly because you can only index them in obfuscated (encrypted) form. Secondly because they will have to be decrypted (which I think you are concerned about) -- the blowfish cypher is your best bet for performance. However this is likely to not be part of any encryption library provided by apple.

Hassan Syed 2009-12-24 13:18:05

also, even if you take this approach and you can get it to perform, the battery will run dry really quickly :/

Hassan Syed 2009-12-24 13:18:51

"If they have jailbroken your iphone they are smart enough to decrypt anything you put there" - I think you greatly overestimate the technical capability of most jailbreakers. Unless they are extremely motivated to get at this data, any amount of encryption would be like a locked door, they'd just move on to an easier target.

Brad Larson 2009-12-24 16:21:37

@brad thats the point I was sort of trying to get accross :P

Hassan Syed 2009-12-24 19:07:42

I was not aware that a phone can be jail broken without the consent of the user ?

On the iPhone 3GS all data stored on the phone is encrypted.

I don't know what you are storing, but leaving the security to Apple may be OK.

Did you read this? http://images.apple.com/iphone/business/docs/iPhone%5FSecurity%5FOverview.pdf

If you really only have under 10,000 records, and they are smallish - like say a short string or two in size, then you could just use an NSDictionary / NSArray with 10,000 items in memory at a cost of 10k*.256k = 2.5 MB in memory, which is not much. If the queries will be simple, then you don't need sql at all. Just run through all records on each search.

You could store an NSDictionary as an exncrypted file, password protected, with the user entering the password on each launch.

Tom Andersen 2009-12-24 19:42:13

iphone data encryption is useless (http://www.wired.com/gadgetlab/2009/07/iphone-encryption/), But yeah its like I was trying to say its enough to stop a thief to get to your data, a real hacker will get past apple's security in a few minutes. and no the consent of the user is not required to jailbreak the iphone :p just the person holding it.

Hassan Syed 2009-12-24 20:04:23

That article is way overblown. Yes a hacker can potentially get some data off the phone - but it's not like the average thief can jailbreak a phone they just picked up somewhere that easily. As a first line of defense the encryption is pretty good.

Kendall Helmstetter Gelner 2009-12-24 22:51:02

it is not overblown, haven't you been reading the news articles of executives loosing all forms of sensitive data these last 2 years ? every kid these days knows how to do script-kiddie stuff, and iphone hacking tools come with instructional videos.

Hassan Syed 2009-12-25 01:58:27

So, Hassan do you have any suggestion about the example usage ? or could you provide any example code describing that ? I would like to see an example project CoreData and Blowfish uses together, it would be help to me a lot. Thank you

fyasar 2009-12-25 09:44:40

Are you worried about someone who has stolen the phone getting the information? Or the person who owns the phone getting to the files your app contains?

If it's not the user there are safeguards you can take, like the password presentation every time (hint: users will hate it and your app will get all 1-star reviews).

If it's the user you are worried about, you are insane to think you can protect anything the user has on their own device. You can just apply some simple obsfucation and call it good.

Kendall Helmstetter Gelner 2009-12-24 22:53:27

ansaurus

tags:

views:

answers:

CoreData Sqllite protection

related questions