This discussion is archived
4438 Views 5 Replies Latest reply: Jun 12, 2008 9:36 AM by mmalone84
Currently Being ModeratedMay 30, 2008 3:51 PM (in response to johne-dm)ok... i think i was able to do it. here is what i did and someone can tell me if this is the stupidest thing they ever heard of:
i created a command line utility that will encrypt a file based on some information about another file in my app (like an md5 digest, save date, etc) that doesn't change once the app is installed.
used that to encrypt a properties file in a custom "run script" build step in my build.
i use the same key (gotten at runtime from the file system) to decrypt the properties file and turn it into an NSDictionary to be read at runtime. this way, the key to the encryption is somewhere in the app, but not easily found by anyone.
the original properties file is not included with the app during build.
is the secret safe?mac book pro
Currently Being ModeratedJun 11, 2008 10:37 PM (in response to johne-dm)Hi, can you post your sample code for simple symmetrical encrypt on iPhone. I am aware of the CCCrypt functions bet can't get them to work.
Thanksmacpro, Mac OS X (10.5.2), iPhne reg developer
Currently Being ModeratedJun 12, 2008 1:40 AM (in response to johne-dm)There is no way to do what you want.
The short version is that any security scheme you think of can only obfuscate the key, because you don't have any secrets available to you that the user doesn't have. In this case, someone could reverse engineer your encryption scheme; once they know that you're deriving a key from your application bundle, they can figure out what that key is just the same as you.
But here's the good news: you don't have to! The user never gets raw access to the file system in iPhone OS, so they never get an opportunity to access and reverse-engineer your app. And even if they did, your app bundle is wrapped in FairPlay encryption. (The phone backup stored on your computer is encrypted, too.) So unless you're worried about Apple stealing your app's secret, you don't really have to worry about obfuscating it at all.MacBook, Mac OS X (10.5.3)
Currently Being ModeratedJun 12, 2008 8:50 AM (in response to Brent Royal-Gordon)Ok, but the common practice is to copy any DB or working files to the app documents folder on the iPhone, which is accessable (xcode organizer can copy this folder o the desktop). So how can I secure sensitive data (sqllite files). As you mentioned the password/key stored in the bundle is secure, so if I can get the CCCryto API to work it should offera good solution. I keep getting a invalid param error, I am sure my C syntax is the problem but I have no sample reference to verify use of the paramaters and data types for the CCCrypto(.....) function.macpro, Mac OS X (10.5.2), iPhne reg developer
Currently Being ModeratedJun 12, 2008 9:36 AM (in response to Brent Royal-Gordon)I'm with Brent on this. The user should never have access to the raw app. And, honestly, is there any reason for anyone to steal your Flickr API key? They can get one themselves for free if they want one. There are legit reasons for people to steal the key from the official app -- they can abuse it since Flickr is unlikely to turn that one off -- but Flickr Uploadr doesn't even jump through this many hoops to keep the key secret private (basically, they just use a little hack that keeps the secret from showing up if you run strings on the binary). Long story short, an ordinary third-party key isn't even worth stealing.
I'm working on an app that uses OAuth to hit a web service, and I'm just putting the consumer secret in the info.plist file...MacBook Pro, Mac OS X (10.5.2)