Why is it obvious to not store password in NSUserDefaults?

Asked 10/2, 2017 at 6:58 Answered 10/2, 2017 at 7:29

Solved ios core-data nsuserdefaults keychain

I've been googling around on how to store a password, and most of the people say that the only acceptable option is Keychain. I implemented that kind of approach, due to rush. But now I am curious what is that obvious thing to not store passwords in NSUserDefaults and is it ok to store password in CoreData? So far I understood that NSUserDefaults are stored as a plain text in plist file. But how may one access this file? I've read that it is possible to do with the help of a lightning cable and an itunes, but didn't find how to do that. Thanks in advance!

Adena answered 10/2, 2017 at 6:58 Comment(10)

best option is store password in NSUserDefaults beacuse no one can read or access that data. in .plist file some third party software availble to access that file and data . so for security reason all time store data in NSUserdefault – Safelight 10/2, 2017 at 7:3

@HimanshuMoradiya so for security reason all time store data in NSUserdefault. Its not secure at all. NSUserDefaults is a plist file which stores data in plain text. If you access to ipa, you can read that plist. – Estelleesten 10/2, 2017 at 7:17

@HimanshuMoradiya , thanks for reply, but are you sure about that? because that's exactly the opposite of everything i have read in there. And isn't NSUserDefult are stored in plist file? so they are accessible for third parties. – Adena 10/2, 2017 at 7:27

@AnilVarghese Thanks for your time, and how may one access to ipa? how complex is this procedure? – Adena 10/2, 2017 at 7:29

@AnilVarghese NSuserdefault you can access only when your application is runing in xcode and .plist file you can access any time that i know and i can already access some application .plist file via send box or funbox – Safelight 10/2, 2017 at 7:30

@HimanshuMoradiya think like hacker! there are many ways to read or modify or delete anything in whole file system. – Rib 10/2, 2017 at 7:40

@HimanshuMoradiya NSuserdefault you can access only when your application is runing in xcode WRONG. Get your facts straight. – Estelleesten 10/2, 2017 at 8:9

then what is the best way to store data ? – Safelight 10/2, 2017 at 9:5

You can use best encrytion algorithms like SHA-512, SHA-256 in which you can save your password – Sura 10/2, 2017 at 9:18

@JeckyModi 1. SHA-* is not encryption it is a cryptographic hashing function. 2. Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2 (aka Rfc2898DeriveBytes), password_hash/password_verify, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods. – Bes 10/2, 2017 at 14:40

Data you store using NSUSerDefault are getting saved in simple plist -in binary format without any encryption. there are many tricks to read these data or modify these data.

Jailbreak users can use iFile to view or modify plist files. Non-Jailbreak users can use other software like iExplore - iFunBox to do this. This software allows users to explore the iOS filesystem without having phone jailbroken

Long story short -- anyone can see or modify data in NSUserDefault. So if you don't want to share your detail publicly, you should never store them in NSUserDefault.

Rib answered 10/2, 2017 at 7:29 Comment(0)

The problem in here is Jailbroken device, while the device is Jailbroken, it will allow other app/tweak to intercept with the sandbox files inside the app, thus can search/read the .plist file in there, atleast thats what i know of

Cohlette answered 10/2, 2017 at 7:26 Comment(0)

Recommended topics

Hot tags