Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How easy is it to hack a plist file in an app store app?

Don't worry, I'm not trying to hack someone else's app, if that's what you're thinking =).

I want to have 2 versions of my app, a free version and a deluxe version. My plan was to use an in-app purchase to enable the deluxe version by setting a boolean value in the plist file.

My question is: is this secure or is it easily circumvented? And if it is not secure, can someone suggest a simple alternative? I don't want to download additional content, I would rather keep all of the functionality within the app and enable it somehow.

Edit: I don't mean the application plist file, but something like the user defaults file.

like image 815
Jerry SHen Avatar asked Mar 17 '10 17:03

Jerry SHen


People also ask

Are plist files secure?

Anyone can access a . plist file. But if is hard coded in a class is much more secure, use the second option. Nothing is 100% secure, but hard-coded in a class if someone want to access this value, the work is more hard.

What kind of settings would you store in your info plist file?

Suggested approach: The Info. plist file stores settings that must be available even when the app isn't running. You could talk about custom URLs, privacy permission messages, custom fonts, whether the app disables background running, and so on.

What is App plist?

plist or Information property list file. The plist is a special file that configures your mobile app, telling it how to run. Every iOS app uses an Info.


6 Answers

You should store this in the keychain, this is what I'll do. The keychain is far more secure than a .plist or the user defaults (which are .plists, too, as far as I know). Have a look at SFHFKeychainUtils, you should be able to use this or just implement a better method exactly for the need to save a simple bool.

like image 131
bddckr Avatar answered Oct 13 '22 06:10

bddckr


It is easy to edit the com.something.plist without jailbreaking. With a free tool* you can browse your device, you can also edit and save these files. If you store your inapp purchase something like this:

[[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"com.example.pack1"];
[[NSUserDefaults standardUserDefaults] synchronize];

then this will be written to the plist:

<key>com.example.pack1</key>
<true/>

If you name your packages like this: pack1, pack2 etc., and somebody edits your plist (copy/pasting the first key), he/she could use the locked feature easily.

A not too hard to implement method would be to save like this:

[[NSUserDefaults standardUserDefaults] setValue:[self sha1ValueForKey:@"com.example.pack1"]               
                                         forKey:@"com.example.pack1"];
 [[NSUserDefaults standardUserDefaults] synchronize];

where -sha1ValueForKey: is

-(NSString *)sha1ValueForKey:(NSString *)key {
    return [self sha1:[NSString stringWithFormat:@"<SALT>%@", key]];
}

You have to change <SALT> to something.

You can find -sha1: here: http://www.makebetterthings.com/iphone/how-to-get-md5-and-sha1-in-objective-c-ios-sdk/

After this you can verify if the key matches the hashed value.

If somebody wants to hack your plist he/she has to know your hashing mechanism and salt. This is not the safest way to protect your application but it is easy to implement.

*iExplorer

EDIT:
The suggested method only protects - somewhat - your IAP if the user doesn't have access to the hashed value. If someone gets it from somewhere, it is easy to copy that data to the plist. If the SALT is device dependent copying is useless.

like image 37
Vili Avatar answered Oct 13 '22 06:10

Vili


I would recommend reading up on verifying in-app purchases. It sounds to me like you are trying to roll your own in-app purchase verification system which may be wrought with issues you might not have thought of yet. You have to be careful with your user's purchases that they will behave the same in your application as they will in any other, lest ye lose their trust (and future sales!)

like image 38
fbrereto Avatar answered Oct 13 '22 06:10

fbrereto


I don't have an answer, but it seems that editing your plist file dynamically is not possible, if I trust this subject :

You can not edit you're info.plist file dynamically. When you submit your app to The App Store, your app bundle, which includes info.plist, can't change because the signature created when you compile you app is based on the bundle.

like image 41
Zed-K Avatar answered Oct 13 '22 05:10

Zed-K


Instead of worrying about the Info.plist file, why not just set a preference? Somewhere in your code, this would give you your boolean value:

[[NSUserDefaults standardUserDefaults] boolForKey:@"someKey"];

If the value doesn't exist, the result will be nil. This code sets the value:

[[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"someKey"];

Plus, these values will be backed up in iTunes, so if the user moves their backup to a new iPhone or simply restores from backup, the values will be restored.

like image 32
Jeff Kelley Avatar answered Oct 13 '22 05:10

Jeff Kelley


Any pirate has a jail-broken iPhone Any jail-broken device offers full file system access via tools like PhoneDisk, etc Any file system access allows people to change the values in your applications .plist file

Game over.

Now, its not trivial to wrapper that up for the script kiddies but then again its not that hard either.

like image 23
Jeff Avatar answered Oct 13 '22 05:10

Jeff