I have a Core Data-based iPhone app with a pre-populated read-only database. What protection (if any) can I apply to my database to reduce the likelihood of piracy / the database being read off a jail-broken iPhone?
Most code examples for using a pre-populated sqlite database show the database being copied from the app bundle into the app's documents directory on the iPhone and this is completely visible on a jail-broken iPhone. Instead, I thought about using the database directly from the app bundle as follows:
- (NSPersistentStoreCoordinator *)persistentStoreCoordinator {
if (persistentStoreCoordinator != nil) {
return persistentStoreCoordinator;
}
NSURL *storeUrl = [NSURL fileURLWithPath:
[[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:
@"MyDatabaseName.sqlite"]];
<... followed by standard persistentStoreCoordinator code ...>
When I put a breakpoint on the store url this returns just another file location which I'm guessing is just as visible as the documents directory in a jail-broken iPhone:
<CFURL 0x139610 [0x38388ff4]>{type = 15, string = file://localhost/var/mobile/Applications/6ACD76F0-396D-4DB1-A46B-B2459A084063/MyiPhoneApp.app/MyDatabaseName.sqlite, base = (null)}
Can someone please confirm if above is correct and/or if there are other ways to address this issue (I'm not looking to encrypt or anything like that ... hoping for a quick protect solution) ? Appreciate a determined hacker will get what they want -- I want to at least put up some resistance if I can.
Thanks
First, yes you can store a read-only database inside of your app bundle and access it directly from there.
Second, the only way to protect the data is to keep it encrypted on disk and unencrypted in memory. This cannot easily be done using Core Data in its current form. What you can do is to encrypt certain columns of the database and decrypt them only in memory. This is accomplished by storing the columns as binary data but that also means you cannot do any searches on those columns.
Even trying to avoid Jailbroken phones (which is not a 100% guarantee that the person is a criminal. Keep in mind that developers frequently jailbreak their phones for honest reasons). will not protect your data. The data is sitting inside of a zip file on their desktop computer and is accessible without ever being run or touching a CocoaTouch device.
If the data is that private then you need to put it on a webservice and never store it on the device. Anything on the device (or any device for that matter) is accessible and subject to reverse engineering.
you could try this: https://github.com/calebmdavenport/encrypted-core-data It looks early in development but if you have a simple data model you might be able to get it working. uses sqlcipher.
You could also try Encryption Transformer class's. Can break predicates. If you use nspredicates and depending on your security needs, you can choose an encryption algorithm that preserves relative alphabetical order (roll your own if you have to). this will allow you to use predicates. the bottom of this page explains with code samples how to do it (though you'll need to find a suitable encryption algorithm as their's breaks predicates): http://blog.artlogic.com/tag/encryption/ Encrypts fields rather than the whole database.
stopping/detecting jail breaking won't stop anything. you can open the apps package file on your mac in finder without doing a jailbreak or anything special. syncing to itunes pulls your apps .ipa file down so all you need to do is go to the file and open it to get to the app's package data.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With