How Secure Is Nsuserdefaults on iOS 8,9

How secure is NSUserDefaults on iOS 8,9?

It's highly recommended to not save sensitive data in UserDefaults such as in-app purchases or obviously data such as passwords. Even data like high scores are better saved in keychain so people cannot cheat.

I think that part of the Apple documentation is outdated and should be changed as UserDefaults are not the way to store sensitive data, which in app purchases definitely are IMO.

Just save basic data in UserDefaults like language settings, audio settings etc.

If you want to save sensitive data you should use Keychain. I think the keychain API is quite tricky to use but there is a great helper on GitHub you can use, it has CocoaPods and SwiftPackageManager support and is actively maintained by its author.

https://github.com/kishikawakatsumi/KeychainAccess

There is 2 more projects I used to use which unfortunately no longer seem to be supported

https://github.com/jrendel/SwiftKeychainWrapper

https://github.com/matthewpalmer/Locksmith

One thing to bear in mind with keychain is that data persists even if you delete your app, which I actually consider a good thing.

All credit goes to the authors of their respective wrappers.

Hope this helps

iOS: Is it secure to store sensible user information in [NSUserDefaults standardUserDefaults]?

Other apps would not be able to access information saved in your user defaults for your app. But this doesn't mean the information can't be obtained. You can plug your device into Xcode and run your app. Under devices, you can view your own app's information, and the information saved in user defaults will be listed there.

It generally isn't a good idea to save sensitive user data there, while not that easy to access, it is still accessible. For general non-personal data or settings, it really isn't a big issue. You can always use the built-in keychain access to store username and password information and use user defaults for anything else you might need.

In one of my apps, I salt and hash the username and password together to create a unique token. I save that in user defaults. It is worthless by itself, but that is just my way of doing things. Good luck.

What is un-secure about NSUserDefaults, is manual encryption safe?

What exactly can be hacked and not hacked?

Most everything you can do can be hacked.

Can the Hacker see my app's Swift Code, do they only see the list of variables

A sophisticated hacker can see the executable binary but not the Swift source code.

values stored in NSUserDefaults?

It is trivial to see the contents of NSUserDefaults. See iExplorer and other similar apps.

Could I create my own "encryption" in my code

Sure, but should you?

"Schneier's Law": "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break."

Is this safe?

No it is not safe. If you want use encryption you need a standard encryption algorithm such as AES but it is not that easy to create a secure scheme. You can use a wrapper library such as RNCryptor. But this creates a new problem: where to safely save the encryption key, see next point.

I don't want to have to learn KeychainsWrappers if my manual solution is safe.

Only if you want to securely wan to to save keys and small amounts of data. Security is hard.

You need to evaluate the level of security you need, this included the level of attacker and the value of the data. Attackers run from curious students to nation states. Data values run from Tic-Tac-Toe high scores to nuclear arms details. You need to determine these first.

security of NSUserDefaults in Swift

If you need security you should use Key Chains. It encodes values and is best way to save some security information. One thing that you should know is that you should not store there a lot of data as this storage is related to whole device not just to your application, so if your application will be deleted, stored data still will be alive. For example using User Defaults stored data would immediately become deleted(same with using Core Data).

Is it good idea to store value in userDefaults on sign in and check user status every time when App open?

If a piece of data is not sensitive (e.g., default font size), store it in NSUserDefaults.

If it needs to be secure from casual snooping (e.g., user's password), store it in the Keychain.

If it needs to be secure from the user (e.g., registration code), you will need to roll your own encryption, then store the data wherever you like.

In normal iPhones and iPads it's secure to store in UserDeafaults but in jailbroken devices one can get those data easily. That's why it's preferred to store sensitive data into Keychain.

Using NSUserDefaults to store many values will cause problems?

You can use NSUserDefaults for storing user data.

But for highly sensitive data like Username and Password I prefer keychain to store them.

Please check these links for Keychain saving:

1. Simple iphone keychain access
2. saving email password to keychain in ios
3. howto use keychain in iphone sdk

Where should the sensitive information be stored?

To store user credentials I'd use Keychain (also it would help if server-side could accept some kind of hash instead of plain password). I'd say that users with JB probably know what they are doing and can protect themselves too, so I think it's not so big deal that Keychain is much easier to hack with JB than without it.

To store things like address etc I'd use transformable attributes if you use CoreData (This post may help).

Additional protection from iOS side can be file protection attribs(if user has passcode set up).

UserDefaults are not meant to store sensitive info since it's basically "plain text".

---

Related Topics