4

If I use SSL connection for my iphone app to query the database using web as the datasource, is it possible that the links and info that goes back and forth from the server to iphone will be encrypted in a way that nobody could see it. Additionally, i believe that the iPhone caches info, the web interface can cache data going to and from the device.

By another person i was told this:

SSL is only the transfer, what the app uses on the device is not encrypted just because what is transferred is. If the app uses no cache and you use SSL, you could be safe, the simple fact is that almost all apps cache data prior to transmitting it. Therefore, you would have unencrypted data on your device.

So what are my options if i want to build an app that uses the web as the datasource, stores nothing on the app, and uses no cache. I want all data coming from and to to be encrypted.

ariel
  • 2,962
  • 7
  • 27
  • 31
  • You might want to tell us what you are actually trying to achieve. – Maarten Bodewes May 08 '12 at 23:43
  • The app will have sensitive info like credit card #'s etc. In case of an phone hack or somebody exploring the app code wise i don't want them to be able to get user info exposed from the phone.. – ariel May 08 '12 at 23:51
  • @ariel Store those credit card numbers in a data structure you can overwrite yourself (like a `malloc`'ed array) and never write them out to a file. The only way "exploring the app code" will reveal credit card numbers is if you are storing them in the code to begin with, which would be an incredibly bad practice. – Shaggy Frog May 08 '12 at 23:59
  • @shaggyfrog i wouldn't want to store in the code i just simply want it to be uploaded to the database through a internet connection so no storing on the phone itself? – ariel May 09 '12 at 00:10
  • If they can hack into your app while it's running they can access the unencrypted data. Nothing you can do about that. – Hot Licks May 09 '12 at 00:16

2 Answers2

3

At some point, you're going to receive data from a server. That data needs to be put somewhere, like in a data buffer. There's absolutely no way around that. If you're using SSL then the transfer process will be encrypted. As your "other person" said, as long as you don't explicitly cache the data, then that's about as much as you can do to protect yourself on iOS.

I'm not sure exactly what you're expecting here, otherwise.

Shaggy Frog
  • 27,575
  • 16
  • 91
  • 128
  • Hey, what i want is an app that is secure enough that nobody can crack the data from the phone. If i am not wrong nobody can break an app to get user info, correct? So i guess in that way we are secure but i am concerned with user phone being stolen and having data cache. I am not a experienced developer so i don't know much but isn't that the same thing as having a web cache on your computer? – ariel May 08 '12 at 23:52
  • @ariel you are heading into the rabbit hole of software security. You must first understand that if you have access to the data while the app is running, a determined attacker will also have access to that data. There's no way to *guarantee* an attacker won't compromise your app, so do the simple things to make it difficult: use SSL and don't store data locally. How much time do you have to be securing your app versus getting other work done? – Shaggy Frog May 08 '12 at 23:57
  • Well, i am having a third party person help me since i am PHP developer. He said he will use XML as a way to get user info and then when i told him about security he said that all major apps use XML but i insisted on SSL. It seems i might have to engage a PRO to help me out. – ariel May 09 '12 at 00:09
  • 1
    @ariel the choice of data format has zilch to do with security – Shaggy Frog May 09 '12 at 00:19
  • 1
    @ariel there is no such thing as a system that is "100% secure" – Shaggy Frog May 09 '12 at 01:36
2

None. To do anything except transferring the data, you need to have it decrypted. If it is decrypted it will be in the RAM of your device. How secure that is depends on the application. In theory there are some operations that can be performed on encrypted data, but in practice this is only useful for a handful of applications (and it's a hard thing to develop).

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263