Reputation: 23596
Prevent attacker from decompiling iOS app and getting database access
According to this post, it's possible to decompile an iOS application.
How can I prevent an attacker from gaining access to my AWS DynamoDB database? Just having the access keys out in the open like shown on the Amazon developer guide doesn't seem like it would be very safe.
I would think that I could use keychain to store the keys, but I feel like there would be an easy way to get past this for a motivated attacker, given they have the app's assembly source code.
Currently, I connect using Amazon Cognito. All I have to use to connect are the identity ID and the role name. I don't see anything stopping an attacker from simply getting those values and connecting to the database.
For example, what stops an attacker from decompiling the Facebook iOS app code and deleting all of the users?
How can I prevent attackers from decompiling my iOS application and getting access to the database access keys, or at least prevent them from doing any major damage, such as deleting users?
Upvotes: 0
Views: 1820
Answers (3)
Reputation: 531
You can use SQLCipher and use your auth's userToken and/or userId as cipher keys.
Upvotes: 0
Reputation: 122419
It's impossible. In order for your program to do something, it must contain the instructions that allow the computer to follow to do that thing, which means anyone else can also follow those instructions to learn how to do the exact same thing.
Upvotes: 0
Reputation: 13854
Based on my admittedly limited experience, I'd say that a really motivated attacker will always be able to retrieve the credentials you use to access your database regardless of what you do to your executable. I would, however, question why you application needs to have direct access to your database in the first place.
The usual way to safeguard your serverside data is to use a web service to access it. App contacts web service with request, service contacts db, gets data, sends it back. Since the web service and the db are both hosted on your server and only the web service needs direct access to your db, there is no need to store db access info in your app. Problem solved.
Upvotes: 5
Related Questions
- Obfuscating Swift code before submission to Apple App Store
- Anti-tampering and code obfuscation tool for iOS Swift
- Decompilation possibilities in iOS and how to prevent them
- CoreData & Data Protection
- How to obfuscate an iPhone app before being published into iTunes
- How to prevent ipa file/iphone application from being cracked to source?
- How safe is information contained within iPhone app compiled code?
- Is it possible for an app to be decompiled?
- Protecting sensitive information in Objective C source code
- Protect iPhone app from hackers