what do you all think about save tokens in ios use...
# multiplatform
v
what do you all think about save tokens in ios userdefaults?? i saw a lot of devs yelling about how it’s unsafe.. but it’s like sharedprefs on android.. i know it’s not encrypted, but you need access to devices filesystem to read it.. correct me if i am wrong: you need to hack the device or stole the device to have access to it. (and after that you need to understand what it is and how to use)
m
good question, thinking loudly: imagine if a hacker can access on his phone that token and use it maliciously using certain scripts…especially if that is a long lived token. how bad would that be ?
v
it’s bad.. i know.. but sometimes apple devs looks like a security freaks.. we store tokens in android prefs since ever.. access device storage is a hard task for hackers.. and apple devices has encrypted filesystem.. looks like a overconcern about security.. tokens isn’t passwords.. you can expire them and it’s ok.
s
I guess my counter question is, sharing in the Keychain is so simple these days with pods like KeychainAccess, what are you saving by not doing that? An hour development time, tops?
v
the point is.. why in android we dont have this concern about where to save tokens and in ios we are overconcern about where to save it?
I’m running into this ’cause i wrote keystores for multiplatform.. and userdefaults looks ok to put all my values.
m
I am sure it is a concern on Android for bank apps for example..I can’t really recall the specifics but I am sure there is a secure solution on Android as well.
@Vitor Prado I asked the question so that we reflect it is really a need in your case
if it is not I think it is safe to proceed with userdefaults
1
d
All security is about having 'good enough' security so it depends on the Application. Is this a banking App or a grocery list App? Who is going to be motivated hard enough to break your App and to what end? Some people who have a security focus will naturally lean towards applying it more; but I believe it can be over-done. Priorities: Usually an App can be hardened after it's matured and used enough to make it an interesting target.
j
what do you all think about save tokens in ios userdefaults??
Don't. Just use the keychain.
I can’t really recall the specifics but I am sure there is a secure solution on Android as well.
AFAIK: https://developer.android.com/training/articles/keystore
🙏 1
userdefaults looks ok to put all my values.
UserDefaults is intended to store key/value pairs, usually related with user preferences, but it is not intended to store sensitive information.
l
I think a PC or Mac can read and possibly edit content saved into NSUserDefaults, unlike for Android
d
You cab have a secured shared preference these days. No need to save on the old one. Security should be always the priority. You did good asking yourself this question. 🎉