Would someone please verify my understanding of the security capabilities/limitations for an app targeting iOS and macCatalyst (and perhaps macOS)?
Our app must have documents encrypted on disk (for a given user+device), and decrypted only in the context of the app. We also must have a way to recover documents after device failure, and to securely send documents from one user to another user.
The document-recovery requirement seems to rule out storing keys in the secure enclave, and to rule in the use of iCloud keychain (or some trusted key repository that I'd hate to have to build).
For the requirement to decrypt in the app only, we're relying on the keychain API only providing the key to our app. However, the Keychain user application seems to permit any (admin?) user to read passwords. If we needed to deter or prevent a malicious user from hacking the documents outside the app, what's the recommendation: conceal the salt? use a composite key? (We'd encrypt the key with a secure-enclave key, except that fails the recovery requirement.)
For sending documents from one user to another, we're planning to use public-key exchange to encrypt during transmission. That means we need to arrange a separate out-of-band communication for both public keys. For that we're assuming that we can send securely through iMessage (with user confirmation to send, and an iMessage extension on receive to drive the app), using iMessage guarantees that the message cannot be intercepted. So:
- Sender offers to send doc (with PK).
- Receiver stores sender PK, replies with PK.
- Sender sends doc
- Receiver receives, decrypts using Sender PK
Presumably we could save PK's on both ends to skip steps 1-2 for subsequent shares.
Our documents are small now (<10K), so in theory we could use iMessage for step 3-4, but I'd prefer some non-interactive file-based transmission mechanism for user-to-user (outside bluetooth range (not multipeer), no exchange server available.) Is there a better option? Ideally, I'd be able to share with other app users where I had PK's using the share interface instead of iMessage interface, but I would prefer to prohibit any other consumers. (An interaction-time tailscale-style local network connection was our first choice.)
Pointers to docs or sample code most welcome!
Thanks