6

How can I privately share data between two apps on the same device that have different team IDs? We used to do this via the pasteboard, but with iOS7 to use app-specific pasteboards they now have to have the same team id.

The problem we are trying to solve is the unlocking of features in one app if the user has purchased another app. We'd like this to happen quietly in the background (hence originally using app-specific pasteboards) but having some security to prevent users from spoofing the process and unlocking features.

One approach we are investigating is to use a system pasteboard but to encrypt the data with a device specific key. As long as both apps use the same algorithm to generate the key this should work, but he problem then becomes how to generate an app specific key.

Any advice/guidance on the best way of enabling this sort of feature unlocking scheme would be very helpful.

Magic Bullet Dave
  • 9,006
  • 10
  • 51
  • 81
  • Have you looked into salt and hash? It's 1 way so it's not technically 'encryption' you can't retrieve the key and 'decode' it you can only check that something else hashes with the same result. Which amounts to the same as recovering... I believe this is/can also device specific. – CW0007007 Sep 26 '13 at 11:27
  • I haven't, but I will. Thanks for the pointer. – Magic Bullet Dave Sep 26 '13 at 13:47
  • No problems. THere's plenty of stuff out there. I've used it on a project if you get stuck. – CW0007007 Sep 26 '13 at 14:01
  • Thanks. Have had a look at this, and if I understand correctly, would allow me to securely send data between the apps. Am I right in saying that if someone intercepted the package by pulling it off the pasteboard, they could take this package and put it on the pasteboard of another device and unlock the features? I think this is because the salt is sent with the hash, but there is no uniqueness to the device. Does that make sense? – Magic Bullet Dave Sep 27 '13 at 07:19
  • Well the way you could make it work is like this: On app A) have a secret key(string) like "UPGRADE_PACKAGE_LOYALTY" (doesn't matter what is is). That is then hashed, the hash will return a bunch of data. This data is then sent to the other app via the pasteboard. In APp B, when you are checking if the other app is there you would has the same "UPGRADE_PACKAGE_LOYALTY" key, then you would compare that Hash wiht the one from the other app. If they match then you know they have the other app. So the 'only' way to hack it would be to know the "UPGRADE_PACKAGE_LOYALTY" key? Does that make sense ? – CW0007007 Sep 27 '13 at 07:36
  • As a hash cannot be 'decoded' it's 1 way. So having just that is no use to anyone. – CW0007007 Sep 27 '13 at 07:38
  • Yes, makes perfect sense and thanks for explaining in more detail. I guess what I am trying to say is that if they take the hashed package to another device and place on the pasteboard, App B would do the comparison and unlock the features even though App A was not present on the device. So whilst it stops the package being readable and generated by a third party, does not stop it being intercepted and transferred to other devices. Have I understood that correctly? Dave – Magic Bullet Dave Sep 27 '13 at 07:53
  • Hmm yes I think I see what you mean. Think pasteboard may not be the best solution for you now then. – CW0007007 Sep 27 '13 at 08:02

1 Answers1

11

I use the pasteboard for sending data between applications as well. It's a really useful tool for sending medium size amounts of data between applications. I actually wrote up a blog post on the topic a while back.

Unfortunately, as you've pointed out, private pasteboards are only available to apps that share the same prefix in their app id. This is typically the Team ID, but may be different if you have an app that dates back to when you could use a different bundle seed identifier.

If you have medium sized amounts of private data being shared between apps with different prefixes then a different solution is in order. In this case I would suggest using some form of encryption and using the general pasteboard to shuttle the data around. Depending on the sensitivity of the data, it probably would be a good idea to encrypt the data even when using a private pasteboard. Rob Napier has a nice library for making the encryption and decryption very simple.

Alternatively, if your data is fairly small you might consider encoding the data into a URL and using a URL scheme to move the data into the other app.

Dillan
  • 427
  • 3
  • 9
  • Hi Dillan, thanks for the reply. We did use the general pasteboard in the end with our own basic encryption. – Magic Bullet Dave Oct 30 '13 at 14:48
  • @MagicBulletDave sorry for commenting on such an old post, but could you elaborate on your solution? In my tests the generic pasteboard would always be overwritten by any user-initiated pasteboard operation, e.g. if the user copies some text or anything between the moment app A writes something into the pasteboard and the moment app B tries to read it. – jcayzac Aug 27 '15 at 08:22