All geek questions in one place

How accessible will my users be to the SQLite database that I submit with my application?

I am developing an iPad application that will rely on a very large database with valuable information. I am not too familiar with the device (I do not have a personal iPad, and I have never used it outside the development of this application). Users cannot directly see data in the database through my application anywhere.

Will there be another way to access the data in my database (perhaps by connecting the device to the computer and going through Xcode or iTunes)? If not, I read a little about it in jailbreaking, and I saw that it could allow the user to access the file system of the device, so that it would allow them to see the contents of my database? Or would it be possible with jailbreaking and installing an application to view database files on hacked devices (in fact, this question would suggest that it would be quite easy to develop a “reader database” for jailbroken devices)?

+6
source share
3 answers

If there is a database, then people can touch it. It is just a matter of being a little more than a strong user. They may not be able to read data from the database if they do not have credentials for authentication in it, but again, after you have the database on your hard drive, it is just a matter of patience and knowledge to penetrate it .

This is a principle that applies to any device and operating system, not just iPad and iOS. If you do not want your users to mess up some file that your application uses, you can encrypt it using an indecently long encryption key. Someone may end up hacking this information ... All you can do is make sure that they cannot do it before your application becomes obsolete anyway.

Otherwise, save your data on a server where people cannot touch it.

+5
source

I am a developer (and not a hacker), no matter how hard I try to protect my applications, as soon as the code or database is on the device (encrypted or not), I consider the data as public. if the decryption key is transferred to the phone and decrypted on the phone, then consider this data publication too. basically you are screwed. Refuse to protect your applications. and just start creating a cooler and use HTTPS when sending data over the Internet, that’s all I can ask for. Protecting your keys, IPA tokens, high scores, coins, etc. It is literally impossible. yes do a little to try, but your efforts are fruitless. Every day, the tools of a public hacker to see inside locally encrypted databases, locally encrypted applications, see inside confusing applications, it is getting better and better every day. you cannot win. developers are not smarter than hackers, periods. Providing the end user with a false sense of security. like locking your house or locking your car, can you stop someone from breaking in? Nope. the only way to solve this issue is to build a large bank of basics (it's a server), put some counters at the registration desk (aka the cloud API) and do it.

+1
source

I am not an iOS developer, but I know SQLite. You can encrypt databases in SQLite - look for sqlite3_key_v2 () documentation. Your application will have to have an internal password, but you can make it difficult for the hacker. Do not use a static string as a password - instead, take some string and then use it programmatically. This will make it more difficult, but not impossible, for the attacker to recover the key. But this will add an order of magnitude greater complexity. An attacker will need to gain access to the database file itself, and then you will have to reverse engineer your application to recover the database password.

0
source

Source: https://habr.com/ru/post/952151/

More articles:


All Articles