How secure is a plist included in my xcode project after compilation?

Asked 2/10, 2014 at 14:17 Answered 16/4, 2018 at 12:55

Solved ios xcode security compilation plist

If I store important values in a plist in xcode, is that less secure than if it was hard coded in a class? Could jail broken devices mess with those values easily? I know there's a certain level of risk with everything, but can someone explain the relative risks of a flat file vs hard coded values (in a MyClass.m file)?

Sub question: How do you go about storing large amounts of initial data for a game/app to run on? It's fine if the values are readable, I just don't want them easily writable.

Choker answered 2/10, 2014 at 14:17 Comment(6)

Anyone that downloads your app can look at the plist file. No hacking or jailbreak required. A user just needs to know how to unzip the ipa file. – Wilbertwilborn 2/10, 2014 at 14:20

u can use iFunBox, iExplorer or whatever free soft to look up into your ipa. so it's definately not secure. if you want to make it secure, try to encrypt your info plist file. or better encrypt these values inside of your class. actually it's not that hard to look into your source code for more advanced buddies – Previous 2/10, 2014 at 14:24

So how do you go about storing large amounts of initial data for a game/app to run on? It's fine if the values are readable, I just don't want them easily writable. Storing in source seems rather clumsy? – Choker 2/10, 2014 at 14:33

@Previous You don't need any of those tools. The ipa is on your computer when you backup your iOS device with iTunes. – Wilbertwilborn 2/10, 2014 at 14:35

yeap that's correct, it was just an example.. the point beeing said was that it's not safe at all :) – Previous 2/10, 2014 at 14:36

you can use binary data, serialized data, even sqlite database if you need that, just don't copy them to Library,Documents,Temp directiories, which can be deleted by anyone – Previous 2/10, 2014 at 14:39

as for reading data:

plist data is not secure at all - getting plist content takes virtually no time! (and as the ipa is just a renamed zip you don't even need a device ;))

Extracting compiled code is 'harder' but in case of plain text strings only by a small margin. (again: no need for a device)

as for writing to it:

data is you deliver is never writable without breaking the code signature. Therefore any method is fine. Often one ships CoreData databases when using CD, but I also use xmld, jsons, plists.. to deliver my content. whatever suits the needs best

note: breaking the code signature makes the app unusable on a stock iOS device but I think It'd remain usable on a jailbroken phone as the kernel doesn't really check the signature there

Kaczmarek answered 2/10, 2014 at 15:25 Comment(4)

Okay so if I stored initial unit values for a game in a plist it wouldn't be any less secure than in code? You couldn't simply edit the plist (effectively cheating) and run with the new values? – Choker 2/10, 2014 at 16:31

on a jailbroken iphone you could because the OS doesn't really care about code signing – Kaczmarek 3/10, 2014 at 13:33

So would you say storing a production API url in here is okay? Since it's kind of public information already? (I was more worried about people writing to it than reading it, since that can also be sniffed out) – Cantillate 14/5, 2020 at 22:31

yeah. I think it is fine :) getting url isn't too hard anyway as you said :) – Kaczmarek 17/5, 2020 at 5:20

The values stored in you source files (.m) are safe, it is quite hard to access them. On the other hand accessing an app's plist, image sources, and other files are quite easy, there programs to achieve this (for example: Iexplorer) and it doesn't have to jailbroken at all.

So if you have sensitive information stored in your plist, it worth to encode the file, or store it in your source code.

Miles answered 2/10, 2014 at 14:24 Comment(2)

This is not true. It's easy to access compiled strings. – Claireclairobscure 2/10, 2014 at 14:26

i wouldn't suggest to put your secure information into your .h file and it's not that secure as it might appear. there are buddies showing the way how to do that even on iOS conferences:) however you wouldn't bother doing this if the attacker won't access infos of significant value – Previous 2/10, 2014 at 14:27

Anyone can access a .plist file. But if is hard coded in a class is much more secure, use the second option. Nothing is 100% secure, but hard-coded in a class if someone want to access this value, the work is more hard.

Pecker answered 2/10, 2014 at 14:32 Comment(0)

If you're looking to store sensitive values that you don't want jailbroken devices or reversed engineered app to get access to, you can easily think of using UAObfuscatedString.

As quoted:

When you write code that has a string constant in it, this string is saved in the binary in clear text. A hacker could potentially discover exploits or change the string to affect your app's behavior.
UAObfuscatedString only ever stores single characters in the binary, then combines them at runtime to produce your string. It is highly unlikely that these single letters will be discoverable in the binary as they will be interjected at random places in the compiled code. Thus, they appear to be randomized code to anyone trying to extract strings.

Having values hard coded in code or in a plist file is considered risky for sure.

Weatherley answered 16/4, 2018 at 12:55 Comment(0)

as for reading data:

as for writing to it:

Recommended topics

Hot tags