Security

https://developer.box.com/v2.0/docs/ios-security-guidelines

1. How would you securely store private user data offline on a device? What other security best practices should be taken?

  • If the data is extremely sensitive then it should never be stored offline on the device because all devices are crackable.

  • The keychain is one option for storing data securely. However it's encryption is based on the pin code of the device. User's are not forced to set a pin, so in some situations the data may not even be encrypted. In addition the users pin code may be easily hacked.

  • A better solution is to use something like SQLCipher which is a fully encrypted SQLite database. The encryption key can be enforced by the application and separate from the user's pin code.

Other security best practices are:

  • Only communicate with remote servers over SSL/HTTPS.

  • If possible implement certificate pinning in the application to prevent man-in-the-middle attacks on public WiFi.

  • Clear sensitive data out of memory by overwriting it.

  • Ensure all validation of data being submitted is also run on the server side.

results matching ""

    No results matching ""