2

I have a SQLite database which contains confidential information. So my concern is how do I store it in iPhone so that it is secure and hackers can't get to it. I looked into hardware encryption provided by ipad but could't figure it out how to use that.Any Help is appreciated...

Ankit Srivastava
  • 12,347
  • 11
  • 63
  • 115
  • 1
    You can encrypt it, and decrypt when reading. If your application is not open source and you don't need to tell others the method of encryption, any algorithm that you use will be enougth even simple xor. – jcubic Mar 02 '12 at 08:37

3 Answers3

2

You may look at different approaches for soulution of your problem.

  • Encrypt values, stored in CoreData with md5 + salt encryption. You can generate special key, based on user device UUID and some additional "salt" to store data. Be careful, Apple is going to depreciate device personalization values in future. But on the other side, you may recieve special key by user authentification and recieving this key from post request. For encryption you can use built in framework: #import <CommonCrypto/CommonDigest.h>. There are a lot of examples which you can find on the web.

  • Encrypt whole sqlite file in documents folder. This can me quite tricky, and and have not faced this approach before.

EDIT: This is code sample which you can use to receive encrypted with md5 data: This is .h file

#import <Foundation/Foundation.h>

@interface NSString (MyExtensions)
- (NSString *) md5;
@end

@interface NSData (MyExtensions)
- (NSString *)md5;
@end

this is .m file:

#import "MyExtensions.h" //here should be your .h file name
#import <CommonCrypto/CommonDigest.h> // Need to import for CC_MD5 access

@implementation NSString (MyExtensions)
- (NSString *) md5
{
    const char *cStr = [self UTF8String];
    unsigned char result[16];
    CC_MD5( cStr, strlen(cStr), result ); // This is the md5 call
    return [NSString stringWithFormat:
            @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
            result[0], result[1], result[2], result[3], 
            result[4], result[5], result[6], result[7],
            result[8], result[9], result[10], result[11],
            result[12], result[13], result[14], result[15]
            ];  
}
@end

@implementation NSData (MyExtensions)
- (NSString *)md5
{
    unsigned char result[16];
    CC_MD5( self.bytes, self.length, result ); // This is the md5 call
    return [NSString stringWithFormat:
            @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
            result[0], result[1], result[2], result[3], 
            result[4], result[5], result[6], result[7],
            result[8], result[9], result[10], result[11],
            result[12], result[13], result[14], result[15]
            ];  
}
@end

So if you include this files to any place of your code, you can simply call this function:

NSString *myStringToEncrypt = @"Confidential information";
NSString *myMD5 = [myStringToEncrypt md5];

btw: you should know, that MD5 function is just hash function, which returns you control sum of data. If you want to encrypt, you could look at AES256 encryption method. CommonCrypto also provides it. Approach depends on your goals.

kokoko
  • 2,705
  • 3
  • 17
  • 28
  • Where can I get more details or a sample on ...? I was trying to use CCCrypt but seriously can't find any documentation how to use it. – Ankit Srivastava Mar 02 '12 at 08:52
  • I can provide you with snippet code which I used in my project. Wait a minute :) – kokoko Mar 02 '12 at 08:57
  • Thanks.. this looks good, Do you also have any idea about hardware-accelerated AES Encryption? I know that iPhone and IPAD support it but and one can use CCCrypt to use it... – Ankit Srivastava Mar 02 '12 at 09:17
  • In fact Apple provides hardware accelerated encryption. But you shouldn't care about how is it used, because all Cocoa framework provides you necessary instruments to work with. It doesn't matter how is that accelerated, it is not your problem. Library exists, but it is not documented. The most clear answer for question "why"is that countries, which receive Apple devices always watch for possible usage of hardware accelerated encryption methods to prevent usage for illegal purposes. That's why this library used in inner iOS logic. Anyway, you wouldn't loose calculation speed through framework – kokoko Mar 02 '12 at 09:47
1

Your can use http://sqlcipher.net/ (SQLLite with AES Encryption) - but this has some serious implications (export restriction stuff and does not integrate with CoreData).

hburde
  • 1,441
  • 11
  • 6
0

I think you can create a password protected zip file of your database. You can unzip it when you need it.

Vignesh
  • 10,205
  • 2
  • 35
  • 73
  • As far as I have heard that password protected ZIP files can easily be unlocked if you have a pretty fast computer.. My major concern is theft of device, See if the device gets stolen there are ways one can get access to that database, that's why I am looking into hardware-accelerated AES Encryption , I have heard this is pretty good even if the device gets stolen. – Ankit Srivastava Mar 02 '12 at 09:42
  • If you choose a good password to protect it would be difficult to crack. AES Encryption is of course very good. But every time if you encrypt/decrypt entire database it is going to consume lots of CPU time. I feel doing it is quite inefficient. – Vignesh Mar 02 '12 at 11:16
  • I was not thinking about encrypting/decrypting the entire database every time , I know that will be very in-efficient, what I was thinking was like some kind of a lock on the database which locks the database... SQLCipher seems a nice option as suggested by hburde... but thanks anyways. – Ankit Srivastava Mar 02 '12 at 11:58
  • Ya. SqlCipher is too good. I was imagining SQLCipher is commercial. That's why I did'n suggest it. Thanks. – Vignesh Mar 02 '12 at 13:27