How can I protect my iOS app against tools like iFunbox

Question

I have an iOS app in which I download files to local storage. I've done the following to keep these local files secure: - Store them outside the documents folder (I use the library folder) - Use complete file encryption

But today I came across iFunbox. This is a tool that enables you to browse the filesystem of your iOS device without a jailbreak! What I noticed that if the device is unlocked I can browse all the files in the sandbox. Fortunately when the device is locked the files become inaccessible.

What I was wondering if there is anything I can do to further protect these files when the device itself is unlocked? So how can I protect my files from tools like iFunbox?

Answer 1

You need to set a passcode to prevent the device from pairing with a computer. But once the device has been paired there is no way in iTunes to unpair it.

You can remove the pairing using DiskAid 6 (http://www.digidna.net/diskaid)

Have look to this http://support.digidna.net/entries/22584881-About-Wi-Fi-and-Pairing-in-DiskAid-6

Answer 2

There's nothing you can do to stop access by apps like iFunBox. They're accessing things at the iOS filesystem which has nothing to do with your app.

If your files are encrypted correctly then that's all you can do.

FWIW you need to make sure you're adhering to the Data Storage Guidelines when you store documents in places other than ~/Documents, ~/Library/Caches and ~/tmp

Answer 3

This filesystem browsing utilities will only work when your device is unlocked, what you can do to greatly improve the security is to require the passcode protection for the devices running the app. That could be done for internal corporate applications where the data is extremely valuable, I believe it must be approved by Apple as well.

To find out if the passcode is set you will check the protection attributes of a dummy file created by you at allowed place: https://stackoverflow.com/a/6192536/792677

Then if the passcode is not set you can show the notification that the application requires it. I'm sure you could set device to require to enter the passcode by private API with the help of Apple engineers, but it would be private information anyway, right ?

The general advice will be to use a strong encryption and to perform the passcode check showing some security alert notifying the user his data is in danger if it isn't set.

Answer 4

Second answer is to store them in the cloud.

• iCloud
• DropBox
• Amazon S3
• Insert remote service here.

By not ever storing the documents on the device you solve your problem, however it may be less secure in some people's minds.