Comments on: Are You Storing Sensitive Data in NSUserDefaults? Stop Doing That! https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/ Teaching you cool stuff since 2012. Fri, 21 Jun 2019 10:32:11 +0000 hourly 1 https://wordpress.org/?v=4.9.10 By: iOS Appsec for Developers – IV: Points to remember | Hackerette's Infosec Blog https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1640 Mon, 07 May 2018 19:20:00 +0000 http://andyibanez.com/?p=204#comment-1640 […] https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/ […]

]]>
By: How secure is NSUserDefaults on iOS 8,9? * VPN SSL Online https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1138 Wed, 09 Mar 2016 19:22:19 +0000 http://andyibanez.com/?p=204#comment-1138 […] Programming Guide suggests you can persist In-App purchase in NSUserDefaults here. However I found this article saying that it is insecure and data in it are easily accessed and […]

]]>
By: Andrés Ibañez https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1048 Fri, 30 Oct 2015 20:41:43 +0000 http://andyibanez.com/?p=204#comment-1048 To clarify: The receipt will always clarify purchases (other than consumables), so what you need to do is to check that recipe.

And to do so, yes, it is very complicated. There’s libraries on Github that make this easier:

https://github.com/search?l=Objective-C&langOverride=&q=iap&repo=&start_value=1&type=Repositories
https://github.com/search?l=Swift&langOverride=&q=iap&repo=&start_value=1&type=Repositories

Although it is not recommended to use them unless they allow you to add your own verifiers. Using generic modifiers is dangerous because if an attackers know you use it it’s trivial to crack. It is not very likely this will happen unless your app becomes very popular, but keep that possibility in mind.

]]>
By: Noah Covey https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1047 Fri, 30 Oct 2015 20:27:57 +0000 http://andyibanez.com/?p=204#comment-1047 I looked at Apple’s documentation on validating receipts for in app purchases and it looks extremely complicated. Is there any other way to persist iAPs?

]]>
By: Andrés Ibañez https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1043 Wed, 28 Oct 2015 00:58:44 +0000 http://andyibanez.com/?p=204#comment-1043 The receipt is an actual encrypted file that gets downloaded when users purchase anything on your app. When users restore an IAP, the receipts is downloaded again and you can use it to verify purchases.

Note that consumables (ie “bullets”) do not work this way, and you will have to persist them somehow else. I’d store consumables in the keychain. iCloud’s KVS is also essentially a plain text file. Honestly the best option would be to store all that info in an external server, but not everybody can afford to do that.

]]>
By: Noah Covey https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1042 Tue, 27 Oct 2015 23:03:53 +0000 http://andyibanez.com/?p=204#comment-1042 So then, if NSUserDefaults aren’t secure:

How is the receipt used to persist IAP? I can’t find much about that online.

Is the iOS keychain or iCloud easier for storing info like high score or # of coins?

]]>
By: Noah Covey https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1037 Mon, 19 Oct 2015 23:49:15 +0000 http://andyibanez.com/?p=204#comment-1037 Thanks for the great article and quick reply.

]]>
By: Andrés Ibañez https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1036 Mon, 19 Oct 2015 03:44:09 +0000 http://andyibanez.com/?p=204#comment-1036 No. The “rocket car” example is very similar to your case, and it’s a good example of what you shouldn’t do.

]]>
By: Noah Covey https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-1035 Mon, 19 Oct 2015 00:52:20 +0000 http://andyibanez.com/?p=204#comment-1035 Is it safe to store (any) of the following with NSUserDefaults in a game:
A high score (integer)
Number of coins, earned in game and through IAP (integer)
Whether or not a character or level has been unlocked, through playing or IAP (Boolean)
?
Thanks!

]]>
By: triannabrannon https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/#comment-916 Fri, 11 Sep 2015 23:44:56 +0000 http://andyibanez.com/?p=204#comment-916 Thank you such a great article!

]]>