PDA

View Full Version : Protect App resources from prying eyes?




thisma
Nov 27, 2009, 05:04 AM
Hey,

I'm looking for a way to protect / encrypt some proprietary files that my app needs to operate. I seem to not have the correct words to find the answer via google or the Apple developer documentation.

I want to make sure that, if a person opens the ipa files and starts poking around, these files will not be readable.

- Joshua



ghayenga
Nov 27, 2009, 10:24 AM
Hey,

I'm looking for a way to protect / encrypt some proprietary files that my app needs to operate. I seem to not have the correct words to find the answer via google or the Apple developer documentation.

I want to make sure that, if a person opens the ipa files and starts poking around, these files will not be readable.

- Joshua

That would be "encryption". If you're including them as resources than anyone can open the backup and the app bundle and find your files. To make them unreadable you need to encrypt them and have your app decrypt them before it uses them.

jnic
Nov 27, 2009, 11:19 AM
I'm looking for a way to protect / encrypt some proprietary files that my app needs to operate. I seem to not have the correct words to find the answer via google or the Apple developer documentation.

I want to make sure that, if a person opens the ipa files and starts poking around, these files will not be readable.

You can never defeat a sufficiently determined attacker; the best you can hope to do is make it prohibitively difficult so that none of your users invest the time to defeat it.

In this case, a user could load your running app into a debugger and extract the decryption key from memory.

firewood
Nov 27, 2009, 05:06 PM
It's usually not possible to defeat a determined and skilled attacker with physical access to standard consumer hardware.

There is the question of whether the methods that can usually defeat lazy or unskilled snoops (e.g. those too lazy to even google for the tools written by the skilled attackers) from prying into your content are of sufficient value for your purposes.

e.g. a really simple substitution cipher might be enough to keep your little kid sister from reading the secret password to your club's treehouse.

thisma
Nov 27, 2009, 10:38 PM
Thank you for all the responses!
Unfortunately I still feel stuck.

That would be "encryption".

Encryption was in fact the first thing I looked up. I eventually found a bread crumb trail left by Apple that seemed promising until I started finding lines like this one (found in TypesSecVuln.html (http://developer.apple.com/iphone/library/documentation/Security/Conceptual/SecureCodingGuide/Articles/TypesSecVuln.html) )

"The problem of how to protect a vendor's data from being copied or used without permission is not addressed here."

I continued down the path any way and found the Certificate, Key, and Trust Services Reference (http://developer.apple.com/iphone/library/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html). This however is obviously intended to be used as a way to encrypt the user's data not vendor's data. I may be able to get it to "keep the kid sister out of the club house" but I figure that the less I do, pushing round pegs into square holes, the more secure the data will actually be. ghayenga and jnic are together right on here:

If you're including them as resources than anyone can open the backup and the app bundle and find your files. To make them unreadable you need to encrypt them and have your app decrypt them before it uses them.
the best you can hope to do is make it prohibitively difficult so that none of your users invest the time to defeat it.

In this case, a user could load your running app into a debugger and extract the decryption key from memory.

So I'm looking for something that is actually intended for this purpose.
My searches continue to reveal ways to encrypt the user's data.

Still looking - Please help
- Joshua

mraheel
Nov 28, 2009, 12:01 PM
This was my concern too. And its really about what your trying to protect? Are they a set of strings or images or more.. Protecting images/copyrighted material is a long shot. Almost all apps are exposed to this.

I am using sqlite db as my data source. There are some encryption libraries like sqlcipher that tell us how to protect it, Which i could never figure out.. but then, its not full proof.

Luke Redpath
Nov 28, 2009, 12:35 PM
I'm curious about what you're actually trying to protect.

thisma
Nov 28, 2009, 05:27 PM
I'm curious about what you're actually trying to protect.

The main thing is a big (file size>2MB) plist/NSDictionary. The file contains data of which each user is likely to use only a very small amount. Different parts of the file for each user, of course, depending on their unique requirements. This data needs to be searchable with results returned in a fraction of a second (read instantly). That all works fine... if the data is stored on the device.

It would be best if competitors not get a hold of that data. Thus the desire for it to be secured somehow. Once the app is released the app will display parts of the data visibly but it seems unlikely that someone will go through the steps required to glean information from the tens of thousands of entries manually.

-Joshua

Luke Redpath
Nov 28, 2009, 05:48 PM
The main thing is a big (file size>2MB) plist/NSDictionary. The file contains data of which each user is likely to use only a very small amount. Different parts of the file for each user, of course, depending on their unique requirements. This data needs to be searchable with results returned in a fraction of a second (read instantly). That all works fine... if the data is stored on the device.
-Joshua

Could your app not download the data from a web server and store it locally on first run? As long as users are advised to perform the initial sync on a wifi connection, 2MB isn't exactly big.