CODEWITHSUNDEEP
iphoneiosios4osx-snow-leopard
umakanta
umakanta

Reputation: 1059

Can any one access my sqlite3 database from an app in iPhone when phone is lost

I have created an application in which I have fetched personal information from the website and stored in my sqlite3 local database.The authenticate user only see their information after successful logIN. Then I am displaying it as required. I do not want these information to be hacked by anyone when the phone is lost.

I have implemented the feature that when the app comes to foreground from the background it will ask for the pin which is hardcoded in the app.

My questions:

  1. Can any one access my sqlite3 local database when the phone is lost ?

  2. Is there any way to encrypt the database and decrypt it when required ?

  3. How I will be sure that the database is not vulnerable .

Thanking you

Upvotes: 3

Views: 576

Answers (4)

Clement Joseph
Clement Joseph

Reputation: 1293

Try this..

NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSString *dbPath = [documentsDirectory stringByAppendingPathComponent:@"myDatadase.sqlite"];
if (sqlite3_open_v2([dbPath UTF8String], &database, SQLITE_OPEN_CREATE|SQLITE_OPEN_READWRITE|SQLITE_OPEN_FILEPROTECTION_COMPLETEUNTILFIRSTUSERAUTHENTICATION, NULL) == SQLITE_OK){
    NSLog(@"db opened securely");
}else{
    NSLog(@"db not opened");
}

Upvotes: 1

Conrad Shultz
Conrad Shultz

Reputation: 8808

As others have stated, yes, your information may well be accessible.

If your database contains confidential information it should be, at a minimum, stored using the iOS Secure File Storage mechanisms (assuming the OS supports it... IIRC it's iOS 4+).

For sqlite, to your sqlite3_open_v2() call pass one of the rather unwieldy

SQLITE_OPEN_FILEPROTECTION_COMPLETE...

options to enable secure file storage. These constants are declared with the rest of them in sqlite3.h.

Upvotes: 0

Goldie
Goldie

Reputation: 1

Is this your problem to solve? It could be best to educate the user to use the Find My iPhone app to remotely wipe their lost iPhone. Savvy users will do this automatically to protect their contacts, and saved passwords to PayPay, eBay etc.

Upvotes: 0

tia
tia

Reputation: 9698

  1. Anyone can access your file if they can get the phone (which is not so hard e.g. using iPhone Explorer)

  2. I googled and found http://sqlcipher.net/. Take a look.

  3. If you are encrypting your database using user-supplied password, so I think it is secured enough in your part. The vulnerable might exist in encryption part or so, but we can never be sure.

Upvotes: 0

Related Questions