понеділок, 30 травня 2011 р.

iPhone SQLite data encryption - SQLCipher and CommonCrypto

If you ever need to encrypt an SQLite database for using it within an iPhone app you basically have 2 options (if you don't want to invent a wheel):

- CommonCrypto library. It's a part of the iPhone SDK but not "explicitly". Apple's Security Coding How-To's says "The CommonCrypto library is used for symmetric encryption, hashing, and HMAC operations". If you don't want to go deep into CommonCrypto methods right now you can check an AES-256 Encrypt/Decrypt NSData extension ( The details can be found in Apple's manual, don't forget to link CommonCrypto framework to your project). You can use CommonCrypto methods to encrypt the contents of some of your SQLite table fields.

- SQLCipher extension to SQLite from Zetetic. It seamlessly integrates into SQLite library on the file page read/write level and uses OpenSSL to secure your data. All you have to do in your code is to provide a key to use with your encrypted database.

You can enjoy it right after you managed to build OpenSSL and SQLCipher. I suggest you using this tutorial on MobileOrchard. The tutorial on the sqlcipher.net is almost identical (except it contains just a bit more information) but the images are missing. So combining these 2 you will definitely build the library sooner or later - I spent a bit more time than expected due to my mistakes and some flaws in the tutorial.

Guys from Zetetic promises that the encryption will slow down DB operations not more than 10-15%. CommonCrypto might probably be faster if you need only a fraction of your data to be encoded. In case you want all fields to be secured SQLCipher should be the option.

Using encryption inside your app is a controversial issue due to the US export restrictions. There's a step in Apple's app publishing where you need to specify whether your app uses encryption. Stephen Lombardo insists in his blog post that using any kind of encryption including HTTPS requires a special export authorization. There are also some rumors on the Web. I suggest you to read the post, google around and take your own decision - getting the export authorization might be a cumbersome process.

Немає коментарів: