I have an idea for an app and was doing some research. Now I am not sure whether it's possible to do what I want to do.
Suppose I want the user to enter some data and that data is stored using a plist or an SQLite database or something. This would be very private data that no-one should be able to access but the user themselves. Therefore, I thought encryption is the way to go.
Okay, now, this is a symmetric block cypher, it is not public-key encryption, so if you store your passphrase as a string in your application (as opposed to making the user enter it or storing it in the keychain) then you're giving somebody the ability to decrypt your encrypted application data, so just be forewarned.
I don't want to use an external server or something. It should all happen on the phone and should not require and internet connection. But is that even possible? I mean, how can I store the passphrase in a way that it cannot be accessed by anyone else?
Is there a way? Or an alternative to achieve the same thing?
Any help is greatly appreciated!
Cheers,
Bob
__________________ We are God’s middle children, according to Tyler Durden, with no special place in history and no special attention.
The keychain is the normal place to store passwords and keys. The Keychain Service Programming Guide in your developer documentation should give you a good overview.
Thanks for the reply, JasonR. I'll make sure to read up on that.
I had another idea, though. Say, the app starts and I let the user enter a passphrase (that the user chooses). I'll then use that passphrase to encrypt their data. When they close the app, the data is encrypted and I simply don't bother to store the correct passphrase. The next time the user opens the app, they have to enter the passphrase and I'll use the entered passphrase to attempt decrypting the data. If it succeeds, the passphrase was correct but if it fails, it was wrong.
Is that an option?
Cheers,
Bob
__________________ We are God’s middle children, according to Tyler Durden, with no special place in history and no special attention.
Probably depends on the security needs of your users. Requiring a passphrase every time you run is certainly the best security, but many casual users will find it so annoying that they won't user it.
How well do you know your target market? Are they security conscious enough to take the extra time for a pass phrase?
Also, I've not looked into it deeply, but iOS 4 offers the option to encrypt files, which might be a third option.
the data would be very, very sensible and the users wouldn't want others to be able to access it without the passphrase. Therefore, I think the users won't mind having to enter the passphrase every time they open the app... it might even give them a sense of security.
And thanks for mentioning iOS 4. I'll check that out as well. Thanks a lot!
Cheers,
Bob
__________________ We are God’s middle children, according to Tyler Durden, with no special place in history and no special attention.
How/Where to store the en-/decryption passphrase?
Linear Mode
