0

in 2017 I would like to make an ios App for iphones/ipads in which I will have a database. The database is the result of 7 years of research. This database is highly important to us. If it gets stolen, it could destroy our business.

Our idea is a medical app. Users put their symptoms and it queries the database that gives the disease.

A developer told me it was not possible to protect the database. So its offer was simple : the symptoms are asked locally, then it generates a code that is sent to a server (internet). The server reads the code and process the query and sends back its result. The security is done on the server and not on the ios App. I dont like that solution as it is not local.

Another developer told me it was possible. The database is encrypted and decrypted in the RAM. It is highly secured. At least as secured as a server.

I dont know what to think, but I really would like to have your lights.

I would like the database to be highly secured and the app to work in local (no internet).

Thanks for your help

PS: I forgot to add that users never write on the database. They are just using it...

jbesclapez
  • 1
  • 4
  • Refer : http://stackoverflow.com/questions/4753433/encrypting-sqlite-database-file-on-ios and https://www.zetetic.net/sqlcipher/ios-tutorial/ – Venk Jan 04 '17 at 11:43
  • There's a lot of good information out there on the topic - this is a bit too broad to work as a Stack Overflow question, which generally expects very focused technical questions. The short answer is probably going to be that there's no way you can ever have 100% security, although you *may* be able to reach a level that's *reasonably* secure. The only really safe way is indeed storing the data on a secure server. – Pekka Jan 04 '17 at 11:49
  • Just Google around for e.g. `ios secure local database`, http://stackoverflow.com/questions/4292451/how-should-i-secure-a-sqlite-database-in-ios – Pekka Jan 04 '17 at 11:50
  • http://stackoverflow.com/questions/1645007/how-can-i-encrypt-coredata-contents-on-an-iphone – Pekka Jan 04 '17 at 11:51
  • https://www.raywenderlich.com/45645/ios-app-security-analysis-part-1 – Pekka Jan 04 '17 at 11:51
  • Some of the docs you are sending are more than 7 years old... security must have improved no? – jbesclapez Jan 04 '17 at 12:48

1 Answers1

0

In my openion

If the data is extremely sensitive then it should never be stored offline on the device because all devices are crackable. The keychain is one option for storing data securely. However it's encryption is based on the pin code of the device. User's are not forced to set a pin, so in some situations the data may not even be encrypted. In addition the users pin code may be easily hacked. A better solution is to use something like SQLCipher which is a fully encrypted SQLite database. The encryption key can be enforced by the application and separate from the user's pin code. Other security best practices are:

Only communicate with remote servers over SSL/HTTPS. If possible implement certificate pinning in the application to prevent man-in-the-middle attacks on public WiFi. Clear sensitive data out of memory by overwriting it. Ensure all validation of data being submitted is also run on the server side.

Abu Ul Hassan
  • 1,340
  • 11
  • 28
  • Thanks for your answer. You write that "all devices are crackable" but all servers too :-) SQLCipher should help sure, but is it more secure than a connecting to a remote server? – jbesclapez Jan 04 '17 at 11:54
  • of course it is please see Security section in below link https://www.zetetic.net/sqlcipher/design/ – Abu Ul Hassan Jan 04 '17 at 11:59