How secure is NSUserDefaults on iOS 8,9?

Question

In-App Purchase Programming Guide suggests you can persist In-App purchase in NSUserDefaults here. However I found this article saying that it is insecure and data in it are easily accessed and modified:

NSUserDefaults are stored in plist in binary format, with no encryption, and is stored in your app’s directory. This means that any user, even the “noobiest” one, can tinker with your NSUserDefaults with 5 minutes of their time.

If it is true user can easily get for free anything provided as in-app purchase that is persisted using NSUserDefaults.

Is the article still correct for iOS 8,9? If so how do you persist your in-app purchases? I prefer some simple solution. I do not (nor want to) validate receipts etc.

Answer 1

It's highly recommended to not save sensitive data in UserDefaults such as in-app purchases or obviously data such as passwords. Even data like high scores are better saved in keychain so people cannot cheat.

I think that part of the Apple documentation is outdated and should be changed as UserDefaults are not the way to store sensitive data, which in app purchases definitely are IMO.

Just save basic data in UserDefaults like language settings, audio settings etc.

If you want to save sensitive data you should use Keychain. I think the keychain API is quite tricky to use but there is a great helper on GitHub you can use, it has CocoaPods and SwiftPackageManager support and is actively maintained by its author.

https://github.com/kishikawakatsumi/KeychainAccess

There is 2 more projects I used to use which unfortunately no longer seem to be supported

https://github.com/jrendel/SwiftKeychainWrapper

https://github.com/matthewpalmer/Locksmith

One thing to bear in mind with keychain is that data persists even if you delete your app, which I actually consider a good thing.

All credit goes to the authors of their respective wrappers.

Hope this helps