Start a new topic
Answered

encryption during data transfer

Hi - My question is about encryption for data as I push it to a database collection in my Kinvey mBaas.  Is encryption enforced all the time?


I'm working in Rad Studio 10.2.3 (Tokyo) which is an IDE from Embarcadero.  It has built components for Kinvey access and I am using them.  This Youtube shows how they are used (it also has extra info about UI stuff that Embarcadero provides but the Kinvey pieces are sprinkled in):  https://www.youtube.com/watch?v=tJ9gQUUzfaw&t=258s

 

I just created a multi-device (iOS, Android etc.) application (Firemonkey) and added the “KinveyProvider” control, “BackendStorage” control, and a “BackendUsers” control.  I’m working in C++.

 

In the KinveyProvider control I entered the AppKey, AppSecret, and MasterSecret that I get from my Kinvey app on the console.  I also added a username and password that has permission to my Kinvey app.  Screen shot below:


image


Next I just made sure that the BackendStorage and BackendUsers controls had “KinveyProvider1” selected as their provider.

 

To log the user in to Kinvey I ran this code in a buttons on-click event:

  TBackendEntityValue ACreatedObject;

  BackendUsers1->Users->LoginUser(username->Text, password->Text, ACreatedObject);

  ShowMessage("You are logged in.");

  status->Text=("Status: Logged in");

 

Then I pushed some data into my Kinvey app database with this code under another button:

    TJSONObject * LJSON = new TJSONObject();

  LJSON->AddPair("field1", Edit1->Text);

    LJSON->AddPair("field2", Edit2->Text);

    TBackendEntityValue ACreatedObject;

  BackendStorage1->Storage->CreateObject("test-database", LJSON, ACreatedObject);

    ShowMessage("Data pushed to Kinvey");

 

It works fine.  But, there is nothing in the Embarcadero docs that says a word about encryption.  I have no idea if I’m logging in with my users credentials “in the clear” or if it is encrypted.  Same with pushing data up to Kinvey.  That is the piece I need to know about.  I suspect it is encrypted – but I want to have positive knowledge before I attempt to store anything that could be personally recognizable from my users.

 

Thank you!

Russ




Best Answer

Hello Russ,


Regarding your question about data encryption - Yes, it is always encrypted using AES-256 when stored offline in the device. All data is encrypted during transmission using TLS/ SSL with allowable list of ciphers. Passwords, PINs, shared secrets and other sensitive information are hashed using bcrypt, SHA-1, SHA-2 or SHA-3 based on the type of data. All passwords are "salted" and hashed when stored.


For more information, please check this link.



Thanks,

Pranav

1 Comment

Answer

Hello Russ,


Regarding your question about data encryption - Yes, it is always encrypted using AES-256 when stored offline in the device. All data is encrypted during transmission using TLS/ SSL with allowable list of ciphers. Passwords, PINs, shared secrets and other sensitive information are hashed using bcrypt, SHA-1, SHA-2 or SHA-3 based on the type of data. All passwords are "salted" and hashed when stored.


For more information, please check this link.



Thanks,

Pranav

Login or Signup to post a comment