7

I've been googling around on how to store a password, and most of the people say that the only acceptable option is Keychain. I implemented that kind of approach, due to rush. But now I am curious what is that obvious thing to not store passwords in NSUserDefaults and is it ok to store password in CoreData? So far I understood that NSUserDefaults are stored as a plain text in plist file. But how may one access this file? I've read that it is possible to do with the help of a lightning cable and an itunes, but didn't find how to do that. Thanks in advance!

Varun Kumar
  • 344
  • 2
  • 24
Miras Maratuly
  • 216
  • 2
  • 14
  • 1
    best option is store password in NSUserDefaults beacuse no one can read or access that data. in .plist file some third party software availble to access that file and data . so for security reason all time store data in NSUserdefault – Himanshu Moradiya Feb 10 '17 at 07:03
  • @HimanshuMoradiya `so for security reason all time store data in NSUserdefault`. Its not secure at all. NSUserDefaults is a plist file which stores data in plain text. If you access to ipa, you can read that plist. – Anil Varghese Feb 10 '17 at 07:17
  • @HimanshuMoradiya , thanks for reply, but are you sure about that? because that's exactly the opposite of everything i have read in there. And isn't NSUserDefult are stored in plist file? so they are accessible for third parties. – Miras Maratuly Feb 10 '17 at 07:27
  • @AnilVarghese Thanks for your time, and how may one access to ipa? how complex is this procedure? – Miras Maratuly Feb 10 '17 at 07:29
  • @AnilVarghese NSuserdefault you can access only when your application is runing in xcode and .plist file you can access any time that i know and i can already access some application .plist file via send box or funbox – Himanshu Moradiya Feb 10 '17 at 07:30
  • @HimanshuMoradiya think like hacker! there are many ways to read or modify or delete anything in whole file system. – PlusInfosys Feb 10 '17 at 07:40
  • @HimanshuMoradiya `NSuserdefault you can access only when your application is runing in xcode` WRONG. Get your facts straight. – Anil Varghese Feb 10 '17 at 08:09
  • then what is the best way to store data ? – Himanshu Moradiya Feb 10 '17 at 09:05
  • 1
    You can use best encrytion algorithms like SHA-512, SHA-256 in which you can save your password – Jitendra Modi Feb 10 '17 at 09:18
  • 1
    @JeckyModi 1. SHA-* is not encryption it is a cryptographic hashing function. 2. Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as `PBKDF2` (aka `Rfc2898DeriveBytes`), `password_hash`/`password_verify`, `Bcrypt` and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods. – zaph Feb 10 '17 at 14:40

2 Answers2

5

Data you store using NSUSerDefault are getting saved in simple plist -in binary format without any encryption. there are many tricks to read these data or modify these data.

Jailbreak users can use iFile to view or modify plist files. Non-Jailbreak users can use other software like iExplore - iFunBox to do this. This software allows users to explore the iOS filesystem without having phone jailbroken

Long story short -- anyone can see or modify data in NSUserDefault. So if you don't want to share your detail publicly, you should never store them in NSUserDefault.

PlusInfosys
  • 3,416
  • 1
  • 19
  • 33
3

The problem in here is Jailbroken device, while the device is Jailbroken, it will allow other app/tweak to intercept with the sandbox files inside the app, thus can search/read the .plist file in there, atleast thats what i know of

Tj3n
  • 9,837
  • 2
  • 24
  • 35