Can users modify NSUserDefaults key values in an iOS app?

Question

I have a question about security.

I am making an iOS app with in app purchase following this tutorial, and I store what products were bought in NSUserDefaults. That's why I wonder :

Can a user with a jailbroken device modify NSUserDefaults key and values for an app?

Thank you very much if you know about it.

Jer

score 25 · Accepted Answer · edited Jun 20 '20 at 09:12

Yes, they can. The user defaults are stored relative to your app directory here:

./MyAppName.app
./Library/Preferences/com.mycompany.MyAppName.plist

The plist file is not encrypted or signed, so it can be modified easily:

plutil -convert xml1 com.mycompany.MyAppName.plist
vim com.mycompany.MyAppName.plist

You can look into the iOS keychain, as @rckoenes said, or also something like this open source secure defaults replacement, which offers an interface similar to NSUserDefaults.

Update:

Since iOS 8, the data directory (and thus the preferences plist files) are now under:

/var/mobile/Containers/Data/Application/<GUID>/Library/Preferences/

Thank you, the Secure NSUserDefaults you link to looks great for my case, since I don't care the data beeing read, but I want to prevent unauthorized modification :) — darksider, Oct 09 '12 at 09:26

score 8 · Answer 2 · answered Oct 09 '12 at 08:19

8

Even users without a Jailbroken device can modify plists...

answered Oct 09 '12 at 08:19

Lefteris

rckoenes · Answer 3 · 2012-10-09T09:34:27.070

4

Yes a user with a jailbroke device can easily modify the NSUserDefault since it's just a plist file in the library directory of your app's sandbox.

You might want to store secure stuff in the keychain, which is a little more secure then the NSUserDefault.

edited Oct 09 '12 at 09:34

answered Oct 09 '12 at 08:09

rckoenes