I want to store a variable that tells me if a user has made an InApp Purchase on the mobile device. NSUserDefaults seems to be accessible from users. Is there a simple and efficient way to do this ?
There a couple of options.
Save the data in the Keychain.
Generate a random key, encrypt the data with CommonCrypto, save the encrypted file in Documents directory and the encryption key in the Keychain.
See WWDC13 2013 video "Protecting Secrets with the Keychain". You can access it either on you computer or on an iOS device with the Apple WWDC app.
Related
I'm writing my first app for iOS. In it conceived some protection from repetitive actions of the same user device (few, if apple account. Login "login-password" at the application level as such does not exist, therefore it was necessary to implement a hidden identification.
Convenient would it be to generate a random number that would be stored somewhere in the user, and remained unchanged even when reinstalling the app.
Started to read it. Learned about SSKeyChain. But just do not have enough experience to understand your logic... Please explain in accessible language!
My assumptions:
(please correct if I'm wrong!)
1) each user single Apple account that is attached all apps to one of the device, and thus the storage on the device. Or is the cloud for one account and multiple devices for this account (which is called keychain)?
2) has a free Access to the library SSKeyChain (via the security framework), which I for your application can write any data with their keys (the password to the app, login, color scheme)... so if you reinstall the app, it could check "are there any settings in KeyChain for me?" and take data from there. Similar to NSUserDefaults/SharedPreferences (ios/android), not receding after reinstalling the app.
3) the Possibility of losing data from KeyChain the user device is only shift Apple account any action by Apple.
So? :)
If you reinstall app,information stored in keychain is still there.But your provisioning profile should not change
From document
On iPhone, Keychain rights depend on the provisioning profile used to sign your application. Be sure to consistently use the same provisioning profile across different versions of your application.
Keychain is encrypted container and in iOS an application can access only its own keychain items.
When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup.
It is just an iOS provide container to save sensitive data。I do not understand what you say about Apple account.
My question is directly related to this one but is different: iOS: keychain on new devices or on restores.
The poster is curious if you store information in keychain storage, does it get backed up to iTunes and iCloud so that when you restore it to another device the data are persisted. A partial answer to the OP's own question was:
But now I read that the keychain is only restored if the backup is encrypted in iTunes (don't know about iCloud backups).
The accepted answer was:
You can transfer data using the iCloud, but this is NOT really secure! Save this data ENCRYPTED on your server and let the app read this data would be a solution. Btw. you shouldn't save sensible data unencrypted in the keychain. The keychain can be read really easy after jailbreak.
Is whether the backup is encrypted or not determined by the developer's access to encrypt the data in code or by how the iTunes or iCloud user handles their backups? The answer to this is very important to me because I am trying to set an initial launch date of an app that determines how long before they have to resubscribe with in-app subscriptions. This piece of information must be shared between old and new devices and also remain on a single device even if the app is removed for a time period.
The following text was from Apple's doc:
Keychain (this includes email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications. If you encrypt the backup with iOS 4 and later, you can transfer the keychain information to the new device. With an unencrypted backup, you can restore the keychain only to the same iOS device. If you are restoring to a new device with an unencrypted backup, you will need to enter these passwords again.)
I thought about storing important and sensitive information in iOS' keychain. But now I read that the keychain is only restored if the backup is encrypted in iTunes (don't know about iCloud backups). This is especially a problem when users buy a new iPhone/iPad and restore them from a backup. The information stored in the keychain by the old device will be lost.
Is there any (secure) possibility to transfer the data to new devices or on restores independently of the backup settings?
You can transfer data using the iCloud, but this is NOT really secure! Save this data ENCRYPTED on your server and let the app read this data would be a solution.
Btw. you shouldn't save sensible data unencrypted in the keychain. The keychain can be read really easy after jailbreak.
For more information about handling with sensible data you may read this book:
Hacking and securing iOS Applications
I am working on an app that has a number of in app store purchase items that will enable certain functionality.
After each item is purchased, I would need to remember it (of course). I would also like to persist this information in iCloud in case the app is deleted or is installed on another device.
What is the best data structure to be used?
Can user defaults database be used for this?
What is important is that the user will not have access to change those values and enable by themselves the paid functionality.
Can user defaults database be used for this?
It can, but it's not the best idea to do so, since
What is important is that the user will not have access to change those values and enable by themselves the paid functionality.
and NSUserDefaults stores its contents as binary or plaintext property lists. Easily changeable on a jailbroken device. (Also changeable on a non-jailbroken one by modifying the iTunes backup files).
What you could do is either store them in the keychain, although the keychain is not really designed for this (and it can also be dumped on a jailbroken device using Ptoomey3's awesome Kaychain-Dumper tool), or better store it remotely on your server and let your server check what the user has purchased.
Of course, if it's not only the server that does the check, so for example you don't only send or don't send content based on purchases, but you also use this check for performing actions within your app, then it also can be hacked (google "MobileSubstrate cheat DoodleJump" for a nice example).
All in all: there's no perfectly secure system.
I use the KeychainItemWrapper class to store a flag in the keychain. The nice thing is, so far, is that the keychain survives an app deletion. IF the user then reinstalls the same app on the same device, the keychain data is still there.
There is no need to use iCloud. If the user installs your app on another device, you just need to provide a "Restore Purchases" button in your app. Then you call the Store Kit APIs to restore existing purchases. The "In-App Purchasing Programming Guide" covers how to do this.
This same functionality will allow a user to restore their purchases even if the flags in the keychain are lost.
I am new to objective C, I have created one application in that I have used both NSUserDefault and Keychain to store my user name and password. But I cant differentiate both. Please help to differentiate the both.
Thank you.
A keychain is an encrypted container that holds passwords for multiple applications and secure services. Apple Inc. uses keychains as password management system in Mac OS and iOS.
NSUserDefaults Provides a way for application behavior customization based on user preferences. Belongs to the Foundation framework for Cocoa and Cocoa Touch.
I got this from Tag Information of NSUserdefaults and keychain
Addition:
When we saved userName and Password. and Remove app from device.
In Keychain: UserName and Password still is there.
In NSUserDefaults: UserName and Password also remove from device with your app.
Try to avoid saving data locally as much as possible.
Keychain-
Keychain is safe & encrypted way to save small storage data like username, password etc.
Beware keychain data can accessible from jailbroken devices .
You can get Apple sample code from here.
Keychain Sharing-
Enabling keychain sharing allows your app to share passwords in the keychain with other apps developed by your team.
Suppose we created two apps where users can log into the same account. It would be nice to have ability to share the login information between these apps. This way the user will only need to log in once in one of the apps.
UserDefaults
An interface to the user's defaults database, where you store key-value pairs persistently across invocations of your app on a given device.
UserDefaults are not secure way to save private data.
UserDefaults are stored as plist locally,
Anyone can track in ./Library/Preferences/com.mycompany.MyAppName.plist