Good Dynamics SDK Part 4: Dive into Secure Storage API

CODE SAMPLES / 03.24.16 / EK Choi

By DRs Kulturarvsprojekt from Copenhagen, Danmark via Wikimedia Commons

In this article, we will dive into the Good Dynamics (GD) Secure Storage API.

We recommend GD applications encrypt data they store locally using secure SQL database or the secure file system provided by GD runtime. These files and databases are encrypted with AES-CBC using a 256 bit random key (Data Encryption Key). Device-independent encryption ensures that even if the device passcode is compromised, app data remains protected. 

Secure SQL Database API

The Good Dynamics Runtime will encrypt data stored in the secure SQL database. The GD secure SQL database is based on the SQLite library. Encryption is added by Good Dynamics transparently to the application. One thing to note is that the secure SQL database cannot be accessed until GD authorization processing is complete for the GD secured app.

Android package for the secure SQL database is

GD apps can use instead of native android.database to access GD SQL database. For example, you can use the following import statement:

import; public static boolean importDatabase(...)  // This function is use to create an encrypted database  // from a plain SQLite database file.

iOS header for the secure SQL database is “sqlite3enc.h”

GD apps can access the secure database using the normal SQLite API with a number of additional functions as below:

SQLITE_API int sqlite3enc_open (...) SQLITE_API int sqlite3enc_open_v2 (...) SQLITE_API int sqlite3enc_import (...)

Secure File System API

As well as the secure SQL database, GD secure store API includes a secure file system. All data stored on the device is encrypted including directory and file names. The secure file system cannot be accessed until GD authorization processing is complete. Encryption and decryption is transparent to the application code:

  • File-writing interfaces accept plain data. The GD Runtime encrypts the data and stores it on the device.
  • When a file-reading interface is utilized, the GD Runtime decrypts what was stored and returns plain data.
  • Path access interfaces accept plain parameters for directory and file names. The GD Runtime encrypts the parameter values in order to create paths in the secure store.
  • Directory and file names provided as return values are plain. The GD Runtime decrypts paths in the secure store in order to generate the return values.

The encryption method used by the GD Runtime generally requires that the user has entered a security password, from which an encryption key is derived.

Android package for the secure file system is Members of the GDFileSystem class are listed here (free to register and login).

iOS header for the secure file system is “GDFileManager.h”. Members of the GDFileManager class are listed here.

Secure Store for Core Data (iOS only)

GD applications can also store Core Data objects in the secure store for iOS. Using GDPersistentStoreCoordinator class instead of the default NSPersistentStoreCoordinator allows the use of the following additional Core Data store types:

  • GDEncryptedBinaryStoreType: Encrypted binary store that is stored in the GD Secure Store.Used in place of NSBinaryStoreType.
  • GDEncryptedIncrementalStoreType: Encrypted incremental store that is stored in the GD Secure Store. Used in place of NSSQLiteStoreType.

You can use above Secure Storage APIs to transparently add encryption to apps, ensuring the data at rest on the device is secured. For more information, check out Good Dynamics API Reference.

That’s it for now. Stay tuned for our next blog!

EK Choi

About EK Choi

EK is a member of the Enterprise Solutions Team, helping developers to create secure applications using BlackBerry solutions and services.