Security Model

Overview of TheCompanyApp's security architecture and data protection strategy.

Security Principles

1. Data Isolation

Principle: Each company's data is completely isolated via companyID scoping.

Enforcement:

All queries filtered by companyID
No cross-company data access possible
Core Data fetch requests enforce predicate

Example:

// WRONG: No company scoping
let request: NSFetchRequest<Orders> = Orders.fetchRequest()

// CORRECT: Company-scoped
let request: NSFetchRequest<Orders> = Orders.fetchRequest()
request.predicate = NSPredicate(format: "companyID == %@", company.companyID as CVarArg)

2. Credential Privacy

Principle: User credentials (UserPass) never synchronized to Shared Database.

Implementation:

UserPass excluded from "Shared" Core Data configuration
Each user creates their own UserPass for each company
Owner cannot see participant credentials
CloudKit syncs UserPass only to user's Private Database

Result: Credentials remain private even in shared companies.

3. End-to-End Encryption

Principle: All CloudKit data encrypted by Apple.

CloudKit Guarantees:

Private Database: Encrypted with user's iCloud keys (Apple cannot decrypt)
Shared Database: Encrypted, accessible only to share participants
In Transit: TLS 1.3 for all network communication

App Responsibility: None - CloudKit handles encryption automatically.

4. iCloud Authentication

Principle: User must be signed in to iCloud to access data.

Verification:

import CloudKit

func checkiCloudStatus() async -> Bool {
    let container = CKContainer(identifier: "iCloud.TheCompany.3N")
    do {
        let status = try await container.accountStatus()
        return status == .available
    } catch {
        return false
    }
}

Error State: App shows login screen if iCloud unavailable.

Threat Model

Threats Mitigated

✅ Unauthorized Access to Company Data

Mitigation: iCloud authentication required
Attacker without Apple ID cannot access data

✅ Cross-Company Data Leakage

Mitigation: companyID scoping enforced in all queries
One company cannot read another company's data

✅ Credential Theft via Shared Database

Mitigation: UserPass in Private Database only
Share participants cannot access owner's credentials

✅ Man-in-the-Middle Attacks

Mitigation: TLS 1.3 for all CloudKit communication
Network traffic cannot be intercepted

✅ Data at Rest on Device

Mitigation: iOS Data Protection (when device locked, DB encrypted)
Requires device passcode/biometric authentication

Threats NOT Mitigated

⚠️ Malicious Share Participant

If owner grants "Can Edit" to participant, participant can delete all company data
Mitigation: Trust-based - only share with known users
Future: Implement audit logs, change history

⚠️ iCloud Account Compromise

If attacker gains access to user's Apple ID, they access all data
Mitigation: Apple's 2FA, strong password enforcement
App cannot prevent this

⚠️ Device Theft (Unlocked)

If device stolen while unlocked, attacker has full access
Mitigation: iOS auto-lock, require biometric re-auth (see next section)

⚠️ Jailbroken Devices

On jailbroken iOS, app sandbox can be bypassed
Mitigation: None - Apple's security model broken

Biometric Authentication

Feature: Face ID / Touch ID for app access.

Implementation (SettingsView.swift):

import LocalAuthentication

func authenticateUser() async -> Bool {
    let context = LAContext()
    var error: NSError?
    
    guard context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) else {
        return false
    }
    
    do {
        return try await context.evaluatePolicy(
            .deviceOwnerAuthenticationWithBiometrics,
            localizedReason: "Authenticate to access TheCompanyApp"
        )
    } catch {
        return false
    }
}

User Control: Settings → Security → Enable Face ID.

Timeout: Re-authenticate after app backgrounded for > 5 minutes.

Access Control (App-Level)

Entity: AccessControl

Purpose: Fine-grained permissions beyond CloudKit's read/write.

Attributes:

companyID: Company this access applies to
userName: Email of user
canViewInventory, canEditInventory: Inventory permissions
canViewOrders, canEditOrders: Orders permissions
... (see entity reference)

Enforcement:

func canPerformAction(_ action: String, for company: Companies, user: String) -> Bool {
    let access = fetchAccessControl(company: company.companyID, user: user)
    
    switch action {
    case "viewInventory":
        return access?.canViewInventory ?? false
    case "editInventory":
        return access?.canEditInventory ?? false
    // ... other actions
    default:
        return false
    }
}

UI Integration: Buttons disabled if user lacks permission.

Network Security

CloudKit Communication: HTTPS only (TLS 1.3).

API Requests: None - app uses only CloudKit, no custom backend.

Third-Party SDKs: None with network access.

Data Retention

On Device:

Data persists until app deleted or company deleted
SQLite files in app's Documents directory

In CloudKit:

Data persists until owner deletes company
Share participants see data until owner stops sharing or removes participant
No automatic expiration

Deletion:

// Hard delete (permanent)
viewContext.delete(company)
try viewContext.save()
// CloudKit removes records from server within minutes

No Soft Deletes: Deleted data is permanently removed.

Audit Logging

Current State: Not implemented.

Future Enhancement:

Create AuditLog entity
Record: user, action, timestamp, companyID
Log: create, update, delete for sensitive entities

Example:

func logAction(user: String, action: String, entity: String, companyID: UUID) {
    let log = AuditLog(context: viewContext)
    log.userName = user
    log.action = action // "created_order", "deleted_inventory"
    log.entityType = entity
    log.companyID = companyID
    log.timestamp = Date()
    try? viewContext.save()
}

Compliance Considerations

GDPR (EU users):

Right to Access: User can export company data
Right to Erasure: Delete company removes all data
Right to Portability: Export to CSV/JSON

CCPA (California users):

Similar to GDPR rights

SOC 2 (Enterprise):

CloudKit is SOC 2 Type II certified
App inherits some controls

Note: TheCompanyApp is not formally certified. Consult legal counsel for compliance requirements.

PreviousTroubleshooting NextCredential Storage

Last updated 1 hour ago

Good morning

hashtagSecurity Principles

hashtag1. Data Isolation

hashtag2. Credential Privacy

hashtag3. End-to-End Encryption

hashtag4. iCloud Authentication

hashtagThreat Model

hashtagThreats Mitigated

hashtagThreats NOT Mitigated

hashtagBiometric Authentication

hashtagAccess Control (App-Level)

hashtagNetwork Security

hashtagData Retention

hashtagAudit Logging

hashtagCompliance Considerations