Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Encrypt Stored Sensitive Data

  
  

Applies To

  • iOS applications that store sensitive data.

What to Do

Encrypt sensitive data stored in files.

Why

Encrypt sensitive data stored in files to prevent attackers from gaining access to it if the device is lost or compromised.

How

To encrypt sensitive data stored in files:

  1. Identify sensitive data. Make a list of all sensitive information handled by your application.
  2. Identify sensitive data storage locations. Sensitive data may be stored in the following locations:
  • Application-created files
  • Temporary files
  • Cached data
  • Cookies
  • Databases
  • Logs
  • Plists
  • Keychain
  1. Define encryption requirements for sensitive data that is stored in files. Choose the level of protection that is the most appropriate for each type of stored sensitive data handled by the application. The iOS Data Protection API provides the following protection levels:
  • FileProtectionNone - no encryption.
  • FileProtectionComplete - encrypt the file and deny access when the device is locked.
  • FileProtectionCompleteUnlessOpen - encrypt the file until it is open, leave it decrypted while it is open even if the device is locked.
  • FileProtectionCompleteUntilFirstUserAuthentication - encrypt the file until the device is unlocked for the first time after a reboot.
  1. Define encryption requirements for sensitive data that is stored in the keychain. Choose the level of protection that is the most appropriate for each type of sensitive data handled by the application that is stored in the keychain. The keychain provides the following protection levels:
  • kSecAttrAccessibleAlways - the item is always available.
  • kSecAttrAccessibleWhenUnlocked - the item is only available when the device is unlocked.
  • kSecAttrAccessibleAfterFirstUnlock - the item is only available after the device is unlocked for the first time after a reboot.
  • kSecAttrAccessibleAlwaysThisDeviceOnly - the item is always available, but is not moved to other devices.
  • kSecAttrAccessibleWhenUnlockedThisDeviceOnly - the item is only available when the device is unlocked and is not moved to other devices.
  • kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - the item is only available after the device is unlocked for the first time after a reboot and is not moved to other devices.
  1. Encrypt sensitive files. Use the appropriate APIs to encrypt stored sensitive data. Data stored in the keychain is always encrypted.

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics