8

Things aren't as clear as they could be on the best practice to store logged in data on the users phone. Some suggest that data such as userID = 123 and loggedIn = true type data should be stored in the NSUSerDefaults data. Yet from my understanding, this data can be easily manipulated with very little, according to this article, https://www.andyibanez.com/nsuserdefaults-not-for-sensitive-data/

So the question being: What is the best way to persist logged in data as the user is navigating various screens. The only data that needs to be stored is the userID or OAuth Token along with a few other custom bits about the status of this user's account. What is the most secure way of storing this data to make sure that someone cannot simply fake being another user when data is being pulled from the server?

Regards, Michael

Evgeny Karkan
  • 8,782
  • 2
  • 32
  • 38
Michael Cropper
  • 872
  • 1
  • 10
  • 28
  • 1
    I think NSUserDefaults should be fine. From my understanding, someone would need to physically have your phone to access that information, and if they have your phone, its kind of a moot point at that point anyway isnt it? – R.P. Carson Jul 24 '16 at 17:23
  • So if a userID is stored in an unencrypted way, what is to stop someone trying userID 0001, 0002, 0003 etc. to guess this information to try any access someones account if this data is stored in an unencrypted way. Clearly the userIDs are much more complex than iterative numbers, although it would be technically possible to guess one eventually. So would it be best to say only store a long userID and nothing else, then query everything else from the server to avoid the app relying on data within the NSUserDefaults ? – Michael Cropper Jul 24 '16 at 18:28

1 Answers1

6

NSUserDefaults APIs is a bad place to store REST token and any kind of secret data.
Because it is not a secure method, there is no encryption. Moreover it can be easily opened and read by reverse engineer.

I would suggest you to store it in a keychain. A keychain is way better solution because it is more secure and has encryption. Take a look at iOS Keychain Services Task reference for more details about implementation of keychain backed storage.

Also please note that it is a pretty time consuming task and you might be interested in 3-rd party libs, keychain wrappers. I would recommend you SSKeychain library or GenericKeychain Apple sample project as a starting point.

Evgeny Karkan
  • 8,782
  • 2
  • 32
  • 38