what do you all think about save tokens in ios userdefaults kotlinlang #multiplatform

what do you all think about save tokens in ios use...

Vitor Prado

05/04/2021, 9:17 PM

what do you all think about save tokens in ios userdefaults?? i saw a lot of devs yelling about how it’s unsafe.. but it’s like sharedprefs on android.. i know it’s not encrypted, but you need access to devices filesystem to read it.. correct me if i am wrong: you need to hack the device or stole the device to have access to it. (and after that you need to understand what it is and how to use)

Mejdi

05/04/2021, 9:39 PM

good question, thinking loudly: imagine if a hacker can access on his phone that token and use it maliciously using certain scripts…especially if that is a long lived token. how bad would that be ?

Vitor Prado

05/04/2021, 10:07 PM

it’s bad.. i know.. but sometimes apple devs looks like a security freaks.. we store tokens in android prefs since ever.. access device storage is a hard task for hackers.. and apple devices has encrypted filesystem.. looks like a overconcern about security.. tokens isn’t passwords.. you can expire them and it’s ok.

Stephen Gazzard

05/04/2021, 10:09 PM

I guess my counter question is, sharing in the Keychain is so simple these days with pods like KeychainAccess, what are you saving by not doing that? An hour development time, tops?

Vitor Prado

05/04/2021, 10:11 PM

the point is.. why in android we dont have this concern about where to save tokens and in ios we are overconcern about where to save it?

Vitor Prado

05/04/2021, 10:12 PM

I’m running into this ’cause i wrote keystores for multiplatform.. and userdefaults looks ok to put all my values.

Mejdi

05/04/2021, 10:13 PM

I am sure it is a concern on Android for bank apps for example..I can’t really recall the specifics but I am sure there is a secure solution on Android as well.

Mejdi

05/04/2021, 10:13 PM

@Vitor Prado I asked the question so that we reflect it is really a need in your case

Mejdi

05/04/2021, 10:13 PM

if it is not I think it is safe to proceed with userdefaults

✅ 1

darkmoon_uk

05/05/2021, 1:05 AM

All security is about having 'good enough' security so it depends on the Application. Is this a banking App or a grocery list App? Who is going to be motivated hard enough to break your App and to what end? Some people who have a security focus will naturally lean towards applying it more; but I believe it can be over-done. Priorities: Usually an App can be hardened after it's matured and used enough to make it an interesting target.

José González Gómez

05/05/2021, 7:22 AM

what do you all think about save tokens in ios userdefaults??

Don't. Just use the keychain.

José González Gómez

05/05/2021, 7:24 AM

I can’t really recall the specifics but I am sure there is a secure solution on Android as well.

AFAIK: https://developer.android.com/training/articles/keystore

🙏 1

José González Gómez

05/05/2021, 7:25 AM

userdefaults looks ok to put all my values.

UserDefaults is intended to store key/value pairs, usually related with user preferences, but it is not intended to store sensitive information.

louiscad

05/05/2021, 8:56 AM

I think a PC or Mac can read and possibly edit content saved into NSUserDefaults, unlike for Android

Diogo Ribeiro

05/05/2021, 4:52 PM

You cab have a secured shared preference these days. No need to save on the old one. Security should be always the priority. You did good asking yourself this question. 🎉

Open in Slack

Previous Next