1

There is a sqlite database in the APP, and I want to encrypt it with SQLCipher. As we know, it's unsafe to store password in the codes, so I'm going to use bundle identifier as part of the password.

So, I want to know if the bundle identifier is easy to retrieve from an APP on a device or jailbreak device?

Thanks.

jdleung
  • 1,088
  • 2
  • 10
  • 26
  • That would not be in the least bit safe at all... – l'L'l May 15 '16 at 05:38
  • 1
    It's trivial for anyone that has downloaded your app to unzip the ipa file and see the Info.plist and all of your resources. Nothing in Info.plist is hidden. – rmaddy May 15 '16 at 05:38

2 Answers2

1

Never use APP's bundle identifier as password. It's easy to decipher. For ex: If you have ideviceinstaller you can query the device for the bundleId's of the apps installed:

ideviceinstaller -U <UUID> -l

There are some other ways too to decipher bundle id. So it's suggested not to use bundle id as a password. Hope it helps.

S. M. Sadrul Islam Asif
  • 76
  • 1
  • 4
  • OK, I decide not to use it. What do you think can be used as part of key and cannot be easy to be found? Thx. – jdleung May 15 '16 at 13:54
0

Security is hard, really the only protection is to not give anyone anything. If you do need to give them something then it's best to ask them for a password. If you can't ask them then the best you can do is obfuscation, even if you encrypt the data, because the best you can do is to hide the password so it's more difficult to find, or to find out how to create it.

So, it's easy to find out the bundle id of the application, the question is how hard is it to work out what you're using as the password and how valuable is the data it's protecting.

If the data is truly valuable then protect it properly, which might involve asking the user for a password and downloading the data from a server which encrypted it on demand.

If your goal is simply to prevent access to the novice hacker then generate a GUID, encode it into the app as something other than a string literal, and use that.

You can't stop a determined and experienced hacker if you store the password anywhere inside the app...

Wain
  • 118,658
  • 15
  • 128
  • 151
  • SQLCipher suggests that the key should stored online for safety, but I just want to protect the content of local sqlite files. It's bad for users to connect the server every time the database is opened. So I'm trying to find a unique id and add it as part of the key. Except bundle identifier, which unique id can be used and not easy to be stolen? Thanks. – jdleung May 15 '16 at 13:37
  • generate a UUID and store it in the keychain – Wain May 15 '16 at 14:16
  • one more question, how can I generate a UUID seperately? It must not be a random key, since I first need to encrypt the database files somewhere and put them on server so that they can be downloaded in the APP by users. Any suggestion for generating this key? Thx. – jdleung May 23 '16 at 14:07
  • If you're encrypting on the server it's best to ask the user for a password and encrypt it with that just before returning it, otherwise there are many UUID / GUID generators around – Wain May 23 '16 at 15:14