I’m developing a healthcare iOS app. I’d like my users’ data to be encrypted so if their iPhone is stolen, the thief won’t be able to access their health info. The rightful owner SHOULD be able to access their information (so different than this question).
I’m considering using SQLCipher to encrypt the entire DB, and putting the SQLCipher password in Keychain.
Is this a good technique?
Also, do I understand correctly that–since everything is on the device–a determined hacker will be able to break in no matter what?
I think that your solution make sens. It gives quite good security and keep your app simple to use.
The main thing you are geting with keychain is that the user backups are secured because keychain content isn’t backed up with iphone. (But I guess you know that already)
But this is huge security plus as the potential hacker will have to get physical access to the iphone. Moreover if the iphone is blocked by pin it is likely that the only quick way to get the data out is to physically access the flash memory of the device which isn’t the easiest thing to do.
To be honest I don’t believe that users will use your app if you force them to enter long passwords. And if you let them use any password their like, hackers will be able to break the database encryption using dictionary attack.