Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing Coredata objects

I am working on an application which has got some sensitive information. I am aware that it would be difficult for a layman to hack into iphone to get the information. If I use SQLite directly I have something called SQLite Cipher to encrypt / encode the database.

Is there anyway where I can have the same way of encrypting the coredata so it makes it hard for hackers to get into the data.

Can someone shed some light on this?

Thanks in Advance

like image 685
Abraham Durairaj Avatar asked Apr 12 '10 19:04

Abraham Durairaj


People also ask

How secure is Core Data?

Does Core Data encrypt the persistent store it manages? The answer is yes and no. Core Data doesn't encrypt the data you store in the persistent store, but it is possible to enable encryption.

Should I use Core Data?

The next time you need to store data, you should have a better idea of your options. Core Data is unnecessary for random pieces of unrelated data, but it's a perfect fit for a large, relational data set. The defaults system is ideal for small, random pieces of unrelated data, such as settings or the user's preferences.

Is Core Data a database?

Core Data is not a database. Core Data is a framework for managing an object graph. An object graph is nothing more than a collection of interconnected objects. The framework excels at managing complex object graphs.

Is Core Data a framework?

Core Data is a framework that you use to manage the model layer objects in your application. It provides generalized and automated solutions to common tasks associated with object life cycle and object graph management, including persistence.


2 Answers

Core data is now encrypted by default (hardware encryption) on iPhone 3GS and later devices, including iPad. This means that data is automatically encrypted with a hardware key. In iOS 4 or later, by following the steps at Nick Harris' more detailed blog entry, a second layer of encryption (called 'data protection') can be enabled which also uses the user's password to encrypt the hardware key.

All of this depends on users setting a secure passcode and enabling data protection in iOS 4. If you're a registered apple developer, you can also watch the WWDC 2010 video on "Securing Application Data" in iTunes at this link and look at the PDF of the slides here after entering your developer id and password, for more detailed information about file encryption.

To enable data protection, in your - (NSPersistentStoreCoordinator *)persistentStoreCoordinator call, just change the file attributes of your .sqlite file using the key and value below. See Nick Harris' blog for more detailed code, including how to check to see if iOS 4 or higher is active.

NSURL *storeURL = [[self applicationDocumentsDirectory] URLByAppendingPathComponent:@"MyAppName.sqlite"];
NSString *storePath = [storeURL path];
NSDictionary *fileAttributes = [NSDictionary dictionaryWithObject:NSFileProtectionComplete forKey:NSFileProtectionKey];
[[NSFileManager defaultManager] setAttributes:fileAttributes ofItemAtPath:storePath error:&error]
like image 122
Victor Van Hee Avatar answered Sep 21 '22 09:09

Victor Van Hee


The Core Data Programming Guide says explicitly that the SQL store type is a little more secure than XML or binary, but is not inherently secure - it recommends an encrypted disk image. Unfortunately, that's a little hard to manage on the iPhone.

What you might consider, if this is a real concern for you, is to build your own persistent store type - the Guide has a section on creating your own atomic store, and refers you to the Atomic Store Programming Topics document. Build a store that takes some key from a user prompt at startup, then initializes with that key for encryption and decryption purposes. (Note that if you take this route, the NSPersistentStore class reference says that subclassing NSPersistentStore directly is not supported in Core Data - you should subclass NSAtomicStore instead.)

like image 40
Tim Avatar answered Sep 22 '22 09:09

Tim