Secure transmission of encryption private key to app

I'm trying to find a similar solution to the one provided by the new CoreML Model encryption announced in iOS 14.

I want to be able to download encrypted packages to an app that are then decrypted in memory for usage and are secure against jail breaking and theft. (See my previous question for more details on what I'm working on)

The crux of this problem is how to securely transmit the private key to the app in a way that it can't be spoofed.
I'm assuming that once the app has the key it is safe (even from the user) to store it in the KeyChain?

My question is - is there a way to use CloudKit, or existing iOS frameworks, to achieve this?

Up vote post of Seoras Down vote post of Seoras
562 views
Posted by
Seoras
Reply
Add a Comment

Accepted Reply

I’ve been watching your other thread go by but haven’t chimed in because I’m not familiar with the Core ML side of this. However, this question is something I can address directly:

… secure against jail breaking and theft … is there a way to use CloudKit, or existing iOS frameworks, to achieve this?

No. What you’re trying to build here is a DRM system — you want to give the user some content but control how they use it — and DRM systems always represent an arms race between you and your attackers. As with any arms race, there’s an associated cost and, at some point, the cost of ‘winning’ exceeds the value of the content you’re trying to protect.

I’ve posted about this stuff before (like here and here) and the big picture situation hasn’t really changed. There have been some technical developments (1) but this is largely a business issue not a technical one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(1) Most notably, the iOS 14 beta enhancements to the DeviceCheck framework.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I’ve been watching your other thread go by but haven’t chimed in because I’m not familiar with the Core ML side of this. However, this question is something I can address directly:

… secure against jail breaking and theft … is there a way to use CloudKit, or existing iOS frameworks, to achieve this?

No. What you’re trying to build here is a DRM system — you want to give the user some content but control how they use it — and DRM systems always represent an arms race between you and your attackers. As with any arms race, there’s an associated cost and, at some point, the cost of ‘winning’ exceeds the value of the content you’re trying to protect.

I’ve posted about this stuff before (like here and here) and the big picture situation hasn’t really changed. There have been some technical developments (1) but this is largely a business issue not a technical one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(1) Most notably, the iOS 14 beta enhancements to the DeviceCheck framework.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Thanks! I just needed someone to tell me I was correct in my assumptions on the options I had and that there wasn't anything, new or old, that I had missed and not considered.

Posted by
Seoras
Up vote reply of Seoras Down vote reply of Seoras
Add a Comment