I am writing an iOS app which needs to be HIPAA compliant. The app should preferably function offline, so data needs to be stored on the phone.
So here is what I was thinking of doing:
- On First Launch user enters username, password and a pass-phrase. The server authenticates the user using username, password and UDID(Advertising ID) of the device. The communication with server will be done using HTTPS.
If authentication is successful:
- username is stored in Key Chain.
Pass-phrase+UDID is hashed using "PBKDF2" available in OpenSSL Library. This is also stored in Key Chain. The salt for this operation is stored in the Key Chain. For subsequent validations salt is obtained from the Key Chain.
Username+Pass-phrase+UDID+Static-Key is used to generate a key using "PBKDF2" and again salt is stored in the Key Chain and retrieved from Key Chain from subsequent uses. The generated key is stored in-memory and pass-phrase is forgotten after key has been generated. The Static-Key is present in the code.
When the app goes to background, the Key is forgotten i.e. the variable is set to nil.
Upon resuming or re-launching the app, the user is presented a screen to enter the pass-phrase. If the pass-phrase entered is correct the app will generate the key again. Otherwise on around five consecutive attempts the app will wipe the data and take the user back to login screen(if possible also send a message to server regarding the event with necessary information).
Now here are my two question:
I would like to know that how stable is project-imax/EncryptedCoreData? I know they do not support many-to-many relations. But, I worked around this problem by creating an entity to represent the relationship(similar to the way this is done in actual SQL DB by using a third table). I would like to listen from anyone having experience with Encrypted Core Data about their experiences and problems they faced. Specially, how would this compare to encrypting the individual attributes performance wise?
Secondly, do you guys see any problem with the security measure I am planning to put in place. Any suggestions or improvements you will like to mention.