How easy is it to hack a plist file in an app store app?

Question

Don't worry, I'm not trying to hack someone else's app, if that's what you're thinking =).

I want to have 2 versions of my app, a free version and a deluxe version. My plan was to use an in-app purchase to enable the deluxe version by setting a boolean value in the plist file.

My question is: is this secure or is it easily circumvented? And if it is not secure, can someone suggest a simple alternative? I don't want to download additional content, I would rather keep all of the functionality within the app and enable it somehow.

Edit: I don't mean the application plist file, but something like the user defaults file.

Answer 1

You should store this in the keychain, this is what I'll do. The keychain is far more secure than a .plist or the user defaults (which are .plists, too, as far as I know). Have a look at SFHFKeychainUtils, you should be able to use this or just implement a better method exactly for the need to save a simple bool.

Answer 2

It is easy to edit the com.something.plist without jailbreaking. With a free tool* you can browse your device, you can also edit and save these files. If you store your inapp purchase something like this:

[[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"com.example.pack1"];
[[NSUserDefaults standardUserDefaults] synchronize];

then this will be written to the plist:

<key>com.example.pack1</key>
<true/>

If you name your packages like this: pack1, pack2 etc., and somebody edits your plist (copy/pasting the first key), he/she could use the locked feature easily.

A not too hard to implement method would be to save like this:

[[NSUserDefaults standardUserDefaults] setValue:[self sha1ValueForKey:@"com.example.pack1"]               
                                         forKey:@"com.example.pack1"];
 [[NSUserDefaults standardUserDefaults] synchronize];

where -sha1ValueForKey: is

-(NSString *)sha1ValueForKey:(NSString *)key {
    return [self sha1:[NSString stringWithFormat:@"<SALT>%@", key]];
}

You have to change <SALT> to something.

You can find -sha1: here: http://www.makebetterthings.com/iphone/how-to-get-md5-and-sha1-in-objective-c-ios-sdk/

After this you can verify if the key matches the hashed value.

If somebody wants to hack your plist he/she has to know your hashing mechanism and salt. This is not the safest way to protect your application but it is easy to implement.

*iExplorer

EDIT:
The suggested method only protects - somewhat - your IAP if the user doesn't have access to the hashed value. If someone gets it from somewhere, it is easy to copy that data to the plist. If the SALT is device dependent copying is useless.

Answer 3

I would recommend reading up on verifying in-app purchases. It sounds to me like you are trying to roll your own in-app purchase verification system which may be wrought with issues you might not have thought of yet. You have to be careful with your user's purchases that they will behave the same in your application as they will in any other, lest ye lose their trust (and future sales!)

Answer 4

I don't have an answer, but it seems that editing your plist file dynamically is not possible, if I trust this subject :

You can not edit you're info.plist file dynamically. When you submit your app to The App Store, your app bundle, which includes info.plist, can't change because the signature created when you compile you app is based on the bundle.

Answer 5

Instead of worrying about the Info.plist file, why not just set a preference? Somewhere in your code, this would give you your boolean value:

[[NSUserDefaults standardUserDefaults] boolForKey:@"someKey"];

If the value doesn't exist, the result will be nil. This code sets the value:

[[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"someKey"];

Plus, these values will be backed up in iTunes, so if the user moves their backup to a new iPhone or simply restores from backup, the values will be restored.

Answer 6

Any pirate has a jail-broken iPhone Any jail-broken device offers full file system access via tools like PhoneDisk, etc Any file system access allows people to change the values in your applications .plist file

Game over.

Now, its not trivial to wrapper that up for the script kiddies but then again its not that hard either.