This question already has answers here:
iOS: How to store username/password within an app?
(15 answers)
Closed 8 years ago.
Hello I am working on an app that need to keep user data. Like username/password. I understand I could do this with plist files (simplest way) but what if the user deletes the app and then redownloads it? The data would be reset I presume. So I was thinking about querying a web server for the data. Is there any other more mainstream way that iOS games keep user data please list them if possible.
You should never store password in plist files, they are just plain text. This would making hacking the users account very easy.
But to answer your question, yes there is such a place it is the Keychain. It is meant to store data that needs to secure.
You should use KeyChain to save info that should not be deleted together with app. https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/Reference/reference.html
This SO thread could be useful for you How to use Keychain for saving password like GenericKeychain sample code
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I am currently developing an app with Flutter, which is similar in principle to the app "Celebrate". In this app I need to be able to store certain data on the server permanently without the user having to register. How can this be realised?
Example:
the user starts the app and creates an album
the user deletes the app
the user reinstalls the app
the previously created album is still there
I have thought about two possible variants. Which variant is the one I should prefer?
when the user starts the app, I store unique device information in the database on the server. So I always know to which device the corresponding data can be assigned. Does Apple even allow me to retrieve and store device information? Would this be a good solution?
I see that Firebase offers "Anonymous auth". Does that happen to do exactly what I need? In "Celebrate" it is so that even if you reinstall the app, the data will probably still be retrieved. So there is nothing stored locally. Could the developers of Celebrate use this or similar methods?
Thank you for a competent answer!
Getting a unique device ID seems more accurate solution for what you want. Firebase Anonymous Auth will not work if the user uninstall the app.
You could use device_info plugin developed by the Flutter team.
In your pubspec.yaml file add this:
dependencies:
device_info: ^0.4.2+6 // or latest stable version when you see this
To get the data (and ID) of each platform:
// iOS
IosDeviceInfo iosDeviceInfo = await deviceInfo.iosInfo;
iosDeviceInfo.identifierForVendor; // unique ID on iOS
// Android
AndroidDeviceInfo androidDeviceInfo = await deviceInfo.androidInfo;
androidDeviceInfo.androidId; // unique ID on Android
Since iOS vendor identifier can change on app reinstallation or other event, we need to keep it in the keychain with flutter_secure_storage. You could simple check if the key exists or not. If it exists then it's a reinstallation, if doesn't, it's first time. And clearly, set the vendor id on first time.
I see that Firebase offers "Anonymous auth". Does that happen to do exactly what I need?
While anonymous authentication would allow the user to get started without typing credentials, and you can still make them the "owner" of their own content, it will lose all knowledge of the user when you either sign them out or when they uninstall the app.
As #sqew commented, the scenario you describe is actually against Apple's guidelines, so even if it's technically possible it might not be the best choice.
I've been googling around on how to store a password, and most of the people say that the only acceptable option is Keychain. I implemented that kind of approach, due to rush. But now I am curious what is that obvious thing to not store passwords in NSUserDefaults and is it ok to store password in CoreData?
So far I understood that NSUserDefaults are stored as a plain text in plist file. But how may one access this file? I've read that it is possible to do with the help of a lightning cable and an itunes, but didn't find how to do that.
Thanks in advance!
Data you store using NSUSerDefault are getting saved in simple plist -in binary format without any encryption. there are many tricks to read these data or modify these data.
Jailbreak users can use iFile to view or modify plist files. Non-Jailbreak users can use other software like iExplore - iFunBox to do this. This software allows users to explore the iOS filesystem without having phone jailbroken
Long story short -- anyone can see or modify data in NSUserDefault. So if you don't want to share your detail publicly, you should never store them in NSUserDefault.
The problem in here is Jailbroken device, while the device is Jailbroken, it will allow other app/tweak to intercept with the sandbox files inside the app, thus can search/read the .plist file in there, atleast thats what i know of
I have an iOS app which loads certain features depending on the settings that the user sets. Currently I am using NSUseDefaults to save and retrieve these settings and it works fine. But from what I understand anyone can view and edit them with a simple XML editor. You don't even need to jailbreak an iOS device to gain access to them. So they arn't very secure.
I was wandering if anyone could give me some advice on how I can go about saving app settings (these are NONE secure settings, no passwords, just simple things like ints and strings).
Here are a few ideas I had:
IDEA 1 Add a JSON file to the app NSBundle and then edit/save that JSON file every time you want to load/change the app settings.
IDEA 2 Use Keychain - it can store strings right? And it can't be accessed or edited by anyone. (hopefully even the NSA... lol). I could just store an array of strings in keychain for my app settings.
IDEA 3 Store the settings on a server and get the app to pull them down for the user every time they use the app.
IDEA 4 If NSUserDefaults supports this, then maybe locking the NSUserDefaults so that the end user can only view them but not edit them. Only the app will be able to edit them.
The main point is that I am worried that if I use NSUSerDefaults, the user may see them and edit them and then the app will not function properly. While I am not storing any kind of secure data, it would be nice if I can prevent the user from editing the app settings.
Are any of these approaches any good?
Thanks for your time, Dan.
All of them are good ideas, but just one issue with the first one:
You can not write or change files in the main bundle.
As long a the sure did not jailbreak their device the NSUserDefault can not easily be changed.
The keychain should only be used for password, token, etc..
In you case the NSUserDefault will do just fine, or just save the some file the documents directory of your is also an option. You can even create you now settings class that conforms the to NSCoding protocol and you can save it.
This question already has an answer here:
iPhone 5s Touch ID sensor API [closed]
(1 answer)
Closed 8 years ago.
Instead of using the user object and password from ios keychain to authenticate in an app do developers have access to the user object's touchId. I do not want to store the fingerprint (and I know that apple will not allow this) I just want to authenticate using the fingerprint (touchid) that is encrypted on the hardware. I can't seem to find any subclasses or methods in the documentation that would allow me to perform the authentication using touchId rather than user and pass. Any insight would be great.
Thanks!
No, (at the time of writing) developers have no access to the touch sensor or any information from it.
It is possible only if you jailbreak.
I an building my first iOS application and I need to store the user registration details of the user using the application. The details include his mobile number and a unique id( uuid ) which I use to contact with the backend. It would be great if I could get a suggestion on where to store this user details.
Should I be storing this in the NSUserDefaults or should I be using Keychains to store this data or even may be a using a user model in the database ( I would need a database in any case to store a few other details ). Just to add on, I also would like to perform a few validations like if the mobile number is of proper format and so on before I could actually save it. Also can any one please suggest on the security aspects of different storage mechanisms possible here?
Any help on this would be much appreciated.
The most secure way would be to use keychain services as the data is encrypted but in your scenario it seems a bit over kill. I would recommend either just using NSUserDefaults or an sqlite database I wouldn't really recommend storing in a plist as this can be accessed really easily.
But this all depends on the data you are getting, if it was just uuid and mobile number then NSUserDefaults would do probably, whereas if you were getting usernames and passwords and other personal data I would looking a mix of keychain and sqlite database.
Also you could use coredata file to store user data but seems a bit over kill as well for for such little data.
Just a little note you are actually not allowed to get the iPhones mobile phone number programmatically, getting this would use Private APIs that Apple would reject your app for using.
2.5 Apps that use non-public APIs will be rejected
So you would have to ask he user for this.
Database selection is totally depend on the architecture and security, if you just need to store the few information like login details and some field then Keychain for login details and plist for data is best option, but if your application also working with services and fetching and saving lots of data and continuously updating it then a serious database structure required. In that scenario core data and sqlite both are good option depends on your preference
Following ways you can save details.
In NSUserDefaults
In coredata file.
In sqlite database
Plist file.(Not recommended)
You can save data at server site using webservice.
Any one of these you can use according to your requirement and data.
Cheers :)
If you store information on the UserDefaults, a jailbroken device can see the information you have stored, it is a plist after all. If you are going to keep sensitive data on your device, user defaults itself is not a good option. Possible alternatives:
Use keychain: Keychain is a tool to keep usernames & passwords securely on a device; so you may need to find a way to convert all the info you have mentioned ( a dict, I presume? ) into NSData and put into/get from the keychain but it's been explained on other threads. Additionally, keep in mind that when the app is deleted, keychain data will persist on the device.
UserDefaults & encrpytion: If you can encrypt the data yourself, than using UserDefaults might be a better option. Its more straightforward than keychain and it will be deleted if you delete the app from the device (which may be the thing you want, or not. It depends)