Reputation: 1342
protect an image in an iOS app
I have an iOS app which displays images from a backend (amazon S3) and I would like to prevent users to view image outside of the iOS application.
In fact, the backend sends the base64 representation of an image, to make is simple let's shorten the base64 of one image and let's assume that its representation is :
vQNBX1vW19ekvrrvi7eCqDH04QmUs1i3u4WpXjX3tQ2gh
If an user uses a proxy, he could easily intercept the http call and see the resulting json response which is something like
{ "img" : "vQNBX1vW19ekvrrvi7eCqDH04QmUs1i3u4WpXjX3tQ2gh"}
With this information, the user can save it and he will be able to view it outside of the iOS app.
That's why I am thinking about "hidding" the real image. To keep it simple, I cut the string in two parts, and reverse them ; the json document would become something like that :
{ "img" : {
"part1" : "0HDqCe7ivrrvke91Wv1XBNQv",
"part2" : "hg2Qt3XjXpW4u3i1sUmQ4"
}
}
(of course the obfuscation algorithm will be far more complex and the iOS will be responsible for handling this and reconstitute the real image)
My question is : Is this really efficient/secure ? My feeling is mitigated since the decryption algorithm will be hardcoded in the iOS app, will it be simple to discover it ?
Of course this won't prevent a user from taking a snapshot but I am fine with this.
Upvotes: 1
Views: 73
Answers (1)
Reputation: 4304
If, as @zaph recommends, you use strict HTTPS and certificate pinning, then users will be unable to use a proxy, or other network-monitoring tool, to see the image in transit.
If you only permit authenticated clients to download the image, and use some reasonable method of authentication, you can restrict the people who are able to access the image to authenticated users.
If you use some key derived from the user's authentication secret, or some other secret shared between the client and server, to encrypt the image server-side and decrypt it client-side, and you derive the key in such a way that the derivation is both non-obvious and computationally difficult, then you will confuse a user who writes a script to download the image.
If you implement all of these, you can make things difficult enough that the vast majority of your users either will be unable, or not care enough, to retrieve the image. However, a determined user will still, through expenditure of effort and/or capital, be able to pull out the image. Eventually, they will be able to write a script to download the image and remove whatever encryption/obfuscation you implement; there are attackers out there who are, at least, as clever as you are. The best you can hope for is to make it as time-consuming, difficult, and expensive as possible, so that clever attackers wont be bothered to try.
Upvotes: 1
Related Questions
- Image Encryption in Swift
- Any Ways to Protect Graphics / Sounds Data in IPA?
- Display encrypted image on UIIImageView in objective c
- SDWebImage Encrypted image
- Data hiding in Image
- How to obfuscate an iPhone app before being published into iTunes
- Is there a way to protect content(images, sounds) in an iPhone app?
- Protect Images inside my app from copying
- Encrypt a string and prevent reverse engineering in iOS
- Encrypt and decrypt algorithm for image in iPhone?