0

I'm developing an app that's pretty simple, and the important part of it is the content, which consists of lots of info that has been gathered over many years. I want to format it in a nice way to show to the user.

When the user downloads the app and first loads it, it goes to the server to get the whole database into the phone. Then, he can see the important items, and sort/filter through them. To avoid somebody taking my database, I'll use a SSL connection. I know if they want they could use the app to see every piece of content one by one, but there's nothing to do about that.

The thing is: I have the data in the cloud (mine). I can securely download it using an SSL connection (any other ideas to secure the transfer?). When I get it here, I'll save it in a db (Core Data is the obvious choice).

How can I secure the data in the internal database, so if the app is hacked, someone cannot access the db? I would put it in the keychain but it's a rather large db for that and it's not that important. (It's not sensible info, just info I don't want anybody to get massively.)

The other thing I could do is to never store anything in the device and have the user always making calls to the cloud, but I think this would be too time consuming. And just give him the option to save their favorite picks to the device. But that's too time consuming and there is the sync issue.

This is a reference I looked up about a similar issue, without the part I'm asking answered: How to encrypt iPhone upload and download of info?

Community
  • 1
  • 1
Daniel
  • 1,321
  • 12
  • 25

2 Answers2

1

Basically, the only choice is to use SqlCipher. Of course, you have to port it to iPhone yourself (unless someone else has posted a port since last I looked). But it's not an insurmountable task.

Of course, even with SqlCipher you have the challenge of storing the key somehow. There's no really secure way to do this -- you have to use some form of "security by obscurity".

Hot Licks
  • 47,103
  • 17
  • 93
  • 151
  • I could store the key in the keychain, that's supposedly the safest part on an iPhone (it even has hardware encryption) – Daniel Jul 13 '12 at 21:46
  • SqlCipher seems quite easy to use! http://sqlcipher.net/ios-tutorial/ And you can buy it ready for iOS now for 150 bucks. (I just meet the company, just commenting it because it's relevant to the answer and could be useful for somebody in the future) – Daniel Jul 13 '12 at 21:53
1

Why not just have some private key info stored in the code, and then when you want to download the database just have it query the server with the key? That way you wan't need to worry about SSL or encryption in the downloading part. In regards to storing it I agree with Hot Licks, SqlCipher appears to be the best and only option. However watch out for encryption, as you will have to declare it to apple and get all kinds of export permits (http://stackoverflow.com/questions/2135081/does-my-application-contain-encryption).

Hope this helps,

Jonathan

Jonathan King
  • 1,528
  • 14
  • 25