0

I'm working on an app which will download JSONs from server , store them in /Library/Application Support/ folder and use them afterwards ....

but after running the app in my iPad , I can see all the files including JSONs from Application Support folder (Documents folder is also visible although) using a Mac OSX app named iExplorer ...

Is there any way to prevent accessing the Application Support folder from unauthorized people ?? (Because now anybody who has the app running in their device can access sensitive informations including JSONs) ... Can anybody help me ??

Sorry if this question is stupid as I'm a newbie to iOS App Development ! Any help regarding this would be greatly appreciated ....

P.S. I tried Data Protection API and it only works when your device is locked via passcode ... You can still access the data if you unlock your device with the passcode ..

SiltyDoubloon
  • 147
  • 2
  • 3
  • 11

2 Answers2

1

Encrypt the data so it is unusable by an attacker.

Prepare:

  1. Create a random key
  2. Save that key in the Keychain

Encrypt:

  1. Get that key from the Keychain
  2. Encrypt the file with AES using the key
  3. Save the file to the desired directory.

Decrypt:

  1. Get that key from the Keychain
  2. Read the file into memory.
  3. Decrypt the file with AES using the key

Use Common Crypto for the cryptographic functions.

Something to get started with, a 256-bit random key for AES: 

func generate256BitKey() -> [UInt8] {
    let keyLength = Int(kCCKeySizeAES256)
    var key = [UInt8](count: keyLength, repeatedValue: 0)
    SecRandomCopyBytes(kSecRandomDefault, keyLength, &key);
    return key
}
zaph
  • 111,848
  • 21
  • 189
  • 228
  • sounds good but seems too complicated :/ anyways , will give it a try. Thanks :) – SiltyDoubloon Aug 17 '15 at 19:29
  • 1
    As Rob says, protecting from the user is a hard problem on to impossible depending on the level of security you are looking for. OTOH it is a big step to have an encrypted file in place of a plain text file. Using a randomly generated key is much better than a ordinary password. Putting the key in the Keychain is better than a hard-coded key in the code. Is any go the fool-proof: no. Does it make it harder and raise the bar yes. Does it deter the casual person, probably. Does it protect it against a sophisticated attacker no. – zaph Aug 17 '15 at 23:19
1

I assume that by "unauthorized user" you mean "the owner of the device." The owner of the device cannot be considered an unauthorized user for data you send to or store on their device. Zaph's answer provides some obfuscation, but does not protect the information from the device owner. Just like data protection, this type of encryption can be reversed by anyone who can read the keychain. These techniques are to protect the user from attackers, not you from your user.

There is no effective technique to protect you from your own user. There are various obfuscation techniques (such as encryption with a key stored on the device), but they're all circumventable. There are many posts discussing this in depth. A good starting point with links to more is Secure https encryption for iPhone app to webpage and http://robnapier.net/obfuscating-cocoa.

For most problems, a little obfuscation is probably fine. It won't stop dedicated attackers, but nothing you're likely to do will either, so something simple is fine. Just don't believe it's going to protect you from your own users. That's a much, much harder problem (see the links for more on that).

Community
  • 1
  • 1
Rob Napier
  • 286,113
  • 34
  • 456
  • 610