I have a Core Data database with a lot of sensitive information, so I like to encrypt it.
Almost all information about encrypting Core Data databases seem to be quite outdated:
Creating the persistent store coordinator with NSFileProtectionComplete.
But copying the files off the device with iTunes or Xcode decrypts the database (https://stackoverflow.com/a/30823240/8837882). And the database seems to get decrypted as soon as device is unlocked, no matter if the app is running or not.
Encrypting database with https://github.com/project-imas/encrypted-core-data. The last commit is from 2017.
So I'd like to ask if this recommendations are still up to date or if there are better ones at the end of 2020?
Related
I am going to build a mobile app for my dad which will have four tables namely- buyer table , seller table , buyer balance payment table and seller due payment table. I have thought of using Reactive Native and SQLite due to its offline data storage capability.
Transaction limit per day will be between 2-10 rows in buyer and seller table.
Can anyone advise whether the offline data storage is safe?
Can anyone read the data from phone storage or its hidden inside the app?
Is it possible to export/import the data weekly to personal cloud storage like google drive or Microsoft one-drive and vice versa?
Is it advisable to publish such apps to app store or can i use it without publishing?
If the app is for personal use, u don't have to publish in play store. You can create apk and install in your phone.
SQLite storage is adequate for offline storage but u might lose data if backup of the data is not been taken.
Encrypt your data before you enter it in the database. As far as I know, the SQLite database is kept in a single file somewhere in the /data/ directory. What is more, your data is kept in plain text format. This means that it will always be possible for someone to extract that data by rooting the phone, obtaining the .db SQLite file and opening it with a text editor.
If the data is sensitive, you should consider encryption.
Yes, you can take backup and storage as encrypted file in cloud.
In my personal opinion, you can use firebase or other free cloud websites to host your data. It will be more simple and secure.
I've been playing around with coding up a small password management command line utility in Python. Mostly just for fun, and probably nothing I would ever actually use since I already use established tools for this task.
The program stores site, user name, and password in a sqlite database, and provides various options for looking up passwords, accounts, etc. I was looking for a way to encrypt the sqlite database, because passwords, and I came across sqlcipher. I had trouble building it on mac os, and gave up on that pretty quickly. I decided to try just encrypting the database with GnuPg. From a usage stand point it seems to work well. I wrote a small wrapper in bash that quickly decrypts the database before any operation is done on it, and the re-encrypts it when its done. Is this an acceptable method for encrypting a sqlite database? I can't really find any other examples online of sqlite databases being encrypted this way.
Is this an acceptable method for encrypting a sqlite database?
If you consider it acceptable yes, others may or may not.
However, from a security point of view, probably not if you are decrypting the database file to use it and then encrypting it after use, as the decrypted version could be available and be accessed. The SEE (SQLite Encryption Extension) only decrypts to memory and then only partial data rather than the entire file, so would be more secure from the aspect of security.
How SEE Works
Each page is encrypted separately. The key to encryption
is a combination of the page number, the random nonce (if any) and the
database key. The data is encrypted in both the main database and in
the rollback journal or WAL file but is unencrypted when held in
memory. This means that if an adversary is able to view the memory
used by your program, she will be able to see unencrypted data.
An alternative would be to store encrypted values, decrypting each as they are extracted, this would then equate to the decrypted value(s) only being in-memory. This could have the potential benefit of multiple key phrases (say for multiple users). Thus there would be no single key that unlocks all data.
I need to store information in the mongoDB database on the phone to be used while off-line. The app will download the data while online, and store it in the DB, to be used while off-line. Then when the user is online again, I will send the mongoDB info collected, using my API.
I don't want the mongoDB to be synced with the server while online, either. I want to keep the data on the individual phone. I want to use the data in mongoDB while offline. I need the app to be able to quit/restart, without losing the data on the phone locally.
What is the best way to go about doing this?
There are some options to consider.
1) Create a local mongo database - this is client only storage with no server publication (not sure if it persists between app invocations)
2) sqlite can do the job, but only on Android (not IOS)
3) LokiJS is a fast JS only database that promises to be useful - haven't explored it, but it would be good to hear some feedback
4) If the data is small, you could use LocalStorage, it's pretty simple, you just need to look after serialising and de-serialising it yourself
I have a Xamarin.Forms app that uses a local SqLite database as its source for data. The data is proprietary, so I want to protect it so that if someone gets access to the database file, they would have to decrypt it to access the data.
I also want to limit the number of queries users can make against the database so that at a certain point they have to purchase the ability to use more of the data (in-app purchase).
I want to avoid making network calls as much as possible to minimize impact to the user's data plan and allow the app to work well in conditions where there is poor or no connectivity. So, I want the data stored in a local database (perhaps in SqLite).
I'm curious how different people would approach this problem to protect the data and at the same time minimize network usage.
Here is kind of what I was thinking (if it's possible):
1) Let the user download/install the app.
2) On first load, the app will upload a key based on the device id and the user's current purchase information. Then it will download a SqLite database file that has been encrypted using the uploaded key.
3) When the user reaches their limit of queries, the database file is deleted. If they purchase more data, then a new key is uploaded and a new encrypted database is downloaded to be used.
Thoughts? Is there a better way?
I would suggest SQLCipher! It is a Component within Xamarin (http://components.xamarin.com/view/sqlcipher-for-xamarin-ios) but can also be built from source as it is Open Source (https://www.zetetic.net/sqlcipher/open-source/)
That will totally secure your database :)
UPDATE 8/2/2018 - SQL Cipher is now free and easy to implement thanks to the greatness of Frank Krueger. sqlite-net (https://github.com/praeclarum/sqlite-net) is the defacto sqlite library for Xamarin now (if you're still using the Sqlite.Net fork I recommend going back to sqlite-net as soon as possible as Sqlite.Net has been abandoned) and it now includes SQL Cipher support completely free of charge.
As clb mentioned, SQLCipher is open source. So if you don't want to pay for the component you can download and build the source yourself, then wrap it for use in Xamarin. This is, admittedly, a technically challenging task.
If that's not an option, I would recommend two other options:
Reevaluate your need to store data locally. It's extremely unlikely that you need to transfer enough data to even cause a blip on a user's data plan. And between cellular and wifi, it's not that common anymore for users to be without a connection. It certainly does happen, and there are certain apps where this is very important, but you may have to make concessions if the data is that sensitive.
If you absolutely have to store the data locally, and you can't use SQLCipher, your last real option is to use a cryptography library and encrypt the data itself, rather than the database file. This is less than ideal, typically, for a variety of reasons, but it may be your last resort. PCL Crypt is a PCL capable crypto library that you can look into.
https://github.com/aarnott/pclcrypto
I've read in multiples websites that Azure doesn't support encryption.
However I'm migrating (more like a backup) an Azure DB to SQL Server using the "Azure SQL Migration Tool" and I'm getting a warning about scripting the views: "Encrypted objects will not be scripted".
Also found this note in their site: Problem fixed in v3.5.5. Basically, Stored Procedures, Views, UDF, Triggers ... any object that can be encrypted is check before hand. The objects that are encrypted are highlighted in yellow with red letters. On the summary page, a list of encrypted objects that will not be scripted will be displayed.
http://sqlazuremw.codeplex.com/workitem/5762
If Azure SQL supports encryption, how can I get the creation script for this view?
Windows Azure SQL Database (database-as-a-service) does not support encryption. However: If you run SQL Server in a Virtual Machine, you should have all features at your disposal, including encryption.
I can't explain what's happening with the migration from SQL Database to SQL Server, regarding creation scripts involving encrypted objects on the target side.
SQL Database still doesn't support encryption, so either you are reading from a SQL Server database, or there is a bug in the Wizard. There are no encrypted database objects in SQL Database as far as I know. If you are sure you are reading from SQL Database, just try creating an encrypted view in it and see what happens. From the MSDN documentation, creating an encrypted view is not supported: http://msdn.microsoft.com/en-us/library/windowsazure/ee336244.aspx.
I am curious to know if you are getting the same error with Enzo Cloud Backup: http://www.bluesyntax.net/backup20.aspx. Just use the free edition.