6

I have a CloudKit app that has data in publicDB. This is secure data that's able to be created and read by any authorized user, but I limit that based on the querys my app makes. For example, a data object stating a relationship to user A and user B, but not user C won't ever be queried by user C.

I'm concerned about the possibility of somebody potentially jailbreaking/hijacking my app and performing queries which an authorised app has the ability to do, but wouldn't ever do. How can I be sure that an 'Authenticated' user is in fact a genuine authenticated user using my app normally, and not some third party injecting code into my app?

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Andrew
  • 7,693
  • 11
  • 43
  • 81
  • I have the same doubt because now you can create a token for WEB/JS access and anyone can change something. What I do in a testing idea is use encryption when the data is private and other users should not have access to read it. Is very complicated, but is a solution when your data is sensitive and must be in the publicDB. Try asking directly to apple in the bug reporter. – Joel Jan 11 '16 at 23:24

1 Answers1

0

You can limit which domains are allowed to make queries against your CloudKit container. In the CloudKit Dashboard, click on your container, then go to API Access, click on your API token, then note the domain restriction option:

enter image description here

As long as you set it to your own domain name, you'll be fine.

Clifton Labrum
  • 13,053
  • 9
  • 65
  • 128