3

I have created an application in which I have fetched personal information from the website and stored in my sqlite3 local database.The authenticate user only see their information after successful logIN. Then I am displaying it as required. I do not want these information to be hacked by anyone when the phone is lost.

I have implemented the feature that when the app comes to foreground from the background it will ask for the pin which is hardcoded in the app.

My questions:

  1. Can any one access my sqlite3 local database when the phone is lost ?

  2. Is there any way to encrypt the database and decrypt it when required ?

  3. How I will be sure that the database is not vulnerable .

Thanking you

Michael Dautermann
  • 88,797
  • 17
  • 166
  • 215
umakanta
  • 1,051
  • 19
  • 25

4 Answers4

1

Try this..

NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSString *dbPath = [documentsDirectory stringByAppendingPathComponent:@"myDatadase.sqlite"];
if (sqlite3_open_v2([dbPath UTF8String], &database, SQLITE_OPEN_CREATE|SQLITE_OPEN_READWRITE|SQLITE_OPEN_FILEPROTECTION_COMPLETEUNTILFIRSTUSERAUTHENTICATION, NULL) == SQLITE_OK){
    NSLog(@"db opened securely");
}else{
    NSLog(@"db not opened");
}
Clement Joseph
  • 1,235
  • 2
  • 13
  • 17
0

  1. Anyone can access your file if they can get the phone (which is not so hard e.g. using iPhone Explorer)

  2. I googled and found http://sqlcipher.net/. Take a look.

  3. If you are encrypting your database using user-supplied password, so I think it is secured enough in your part. The vulnerable might exist in encryption part or so, but we can never be sure.

tia
  • 9,518
  • 1
  • 30
  • 44
  • it is not a file. It is a database which is inside an app. Can any one access the database using iPhone Explorer ? – umakanta Jan 11 '12 at 08:53
  • It IS a file. "A complete database is stored in a single cross-platform disk file." - http://www.sqlite.org/features.html. And yes, no matter it is inside or outside application bundle, iPhone Explorer can access it. – tia Jan 11 '12 at 09:31
0

Is this your problem to solve? It could be best to educate the user to use the Find My iPhone app to remotely wipe their lost iPhone. Savvy users will do this automatically to protect their contacts, and saved passwords to PayPay, eBay etc.

Goldie
  • 1
0

As others have stated, yes, your information may well be accessible.

If your database contains confidential information it should be, at a minimum, stored using the iOS Secure File Storage mechanisms (assuming the OS supports it... IIRC it's iOS 4+).

For sqlite, to your sqlite3_open_v2() call pass one of the rather unwieldy

SQLITE_OPEN_FILEPROTECTION_COMPLETE...

options to enable secure file storage. These constants are declared with the rest of them in sqlite3.h.

Conrad Shultz
  • 8,748
  • 2
  • 31
  • 33
  • I am not writing to any file or not using any file. What information I will fetch form the website that is stored in the database. Examples are welcome . – umakanta Jan 11 '12 at 08:58
  • Are you saying that you are using a pure in-memory database (http://www.sqlite.org/inmemorydb.html)? If not, then there *is* a file. – Conrad Shultz Jan 11 '12 at 10:27