Securing data using Core Data in iOS

AppsDev picture AppsDev · Sep 9, 2014 · Viewed 8.1k times · Source

I have a couple of issues regarding protection of data for my app:

1) I need to encrypt all the data I store by means of Core Data, but I don't find a starting point for achieving that. In Core Data Programming Guide they say that:

Core Data makes no guarantees regarding the security of persistent stores from untrusted sources and cannot detect whether files have been maliciously modified. The SQLite store offers slightly better security than the XML and binary stores, but it should not be considered inherently secure. Note that you should also consider the security of store metadata since it is possible for data archived in the metadata to be tampered with independently of the store data. If you want to ensure data security, you should use a technology such as an encrypted disk image.

That doesn't make me clear what I should do... I have also taken a look to Security Overview But this document doesn't seem to deal with Core Data. However, they mention Data Protection to secure files, but I'm not sure if this is what I really I'm looking for... should I use Data Protection for the SQLite file which Core Data works with?

I need some guidance about how could I encrypt all Core Data stored data, please

2) Should it be better to store user's passwords in the keychain, instead of encrypt and store them by using Core Data?

Thanks in advance

Answer

quellish picture quellish · Sep 9, 2014

Since iOS 5, Core Data persistent stores have used Data Protection to encrypt data by default. From the iOS 5 release notes:

For apps built for iOS 5.0 or later, persistent stores now store data by default in an encrypted format on disk. The default protection level prevents access to the data until after the user unlocks the device for the first time. You can change the protection level by assigning a custom value to the NSPersistentStoreFileProtectionKey key when configuring your persistent stores. For additional information about the data protection that are new in iOS 5.0, see “Data Protection Improvements.”

This is also covered in the WWDC 2011 session "What's new in Core Data".

As a best practices usernames and passwords should be stored in the keychain. If you are storing a username and password for a remote service (such as an HTTP server, FTP server, etc.) it's preferable to use the keychain through the NSURLCredentialStorage API.