Content Security on iOS Devices

On iOS devices, all Hybrid Web Container files and extra data entered by the user or retrieved from the server, are stored in a SQLite database that uses the SQLite Encryption Extensions (AES-128).

Hybrid Web Container Files

Hybrid Web Container files include all the files contained in the <workflow_package_name>.zip that is deployed to the device, including all HTML, JavaScript, CSS, and any other files that may be included as part of the Workflow zip package. When the iOS device's browser control requests these Web files, they are read from the encrypted SQLite database. The data is temporarily written to the file system under the application sandbox, after which the browser control reads the file contents into memory. The temp files are removed when the package is finished loading.

Attachments

If attachments, such as *.docx, *.pdf, and so on, are part of the <workflow_package_name>.zip deployed to the device, they are stored in the encrypted SQLite database.
  • When the JavaScript requests the attachments for viewing, they are read from the database, and temporarily written, unencrypted, to the Hybrid Web Container's’s sandbox for the viewer to display them.
  • Once the mobile workflow application closes, these temporary attachment files are immediately removed.

Attachments that are downloaded using an online request that uses an object query are stored unencrypted in the Hybrid Web Container's sandbox for the file viewers to display them. Once the mobile workflow application closes, these temporary attachment files are removed immediately.

Images

Images are stored unencrypted in the Hybrid Web Container's sandbox, then removed when the Workflow application closes.

Cached Online Requests

The results of online requests that are specified to be cached are stored in the encrypted SQLite Database. Cached results are removed when the Hybrid Web Container is unassigned from the device, or uninstalled from the server.

Notifications From the Server

Notifications from the server are stored in the same encrypted SQLite database, including the payload that makes up the notification. When the notification is acted upon, the JavaScript makes a request for the notification contents. This is read from the SQLite database and passed to the browser in memory.

User Input Sent to the Server

When the device has no network connectivity, and the user submits a Workflow application for the server to process, the data destined for the server is queued up on the device. This queue is again part of the encrypted SQLite database.

Encryption Keys

  • The Hybrid Web Containerontainer generates a hash from the password entered by the user, and a salt, combined
  • The Hybrid Web Container generates a random key
  • The Hybrid Web Container encrypts the key with the hash and stores it in the app area of the keychain