0

I'm considering using CloudKit to power my messaging app. With CloudKit, you can set permissions, for reading, writing and modification/deletion of data:

World - Any user, whether authenticated or not. Authenticated - A user who is logged in with iCloud Creator - A user who created a certain entry will have creator permissions over it

The permissions don't break down enough that I'd be able to specify 'Any user who has a relationship to a message', ie the sender and recipient.

Within my app, I'll only ever make the calls to retrieve data relevant to that particular user, so messages to which they're the sender or recipient. My concern is that with every message stored in this public database, I'm wondering whether a user jailbreaking the app, or doing something else malicious, might be able to insert calls to retrieve additional data, such as the data regarding other users.

If this is possible, is there another way that I could secure the data intended for between two users?

Andrew
  • 7,693
  • 11
  • 43
  • 81

1 Answers1

0

I'm testing a similar idea and what I found is you should use encryption with public/private key, then your sender must encrypt his message to the receiver with the receiver public key. Then only the receiver will be able to unencrypt the message. I don't like the idea to give access to modified the record to others users, so you should give read access to the others users, buy only the sender will have total access, so, your app should delete old messages. If your receiver need to save his messages, is better to use his private database after read and unencrypt. This is the general idea.

Joel
  • 511
  • 5
  • 8