1

Ok, so I'm working at an iOS swift application that needs a login system. Everything works fine, but I am not sure that it is secured to store the userid, which the application will receive from server after login, with this:

NSUserDefaults.standardUserDefaults().setObject(userid, forKey: "userid")

and than get this variable on each view controller with this command :

var userid: AnyObject? = NSUserDefaults.standardUserDefaults().objectForKey("userid")

There is a way to start a session? Like in php?

Thank you!

Robert Constantinescu
  • 349
  • 6
  • 20
  • 2
    What are you trying to secure the user id against? Is it secret? It's not really clear what your issue is – Wain Mar 14 '15 at 17:47
  • I wanna know if it is ok how i'm doing this. As I asked, I wanna know if there is another way, to start a session or something like this, like in php. I want to secure it against someone who can "break" my app... imagine that someone just modify somehow the userid stored with this method. – Robert Constantinescu Mar 14 '15 at 17:50
  • There is no concept of a session unless you create it (write it yourself). If someone wants to break your app all you can do it make it hard, not impossible. What can the userid be used for that it could break the app? – Wain Mar 14 '15 at 17:56
  • If someone can modify the userid, they can be someone else on my app. Each user has an userid. Once you change it, you are someone else. – Robert Constantinescu Mar 14 '15 at 17:59

1 Answers1

4

Values in NSUserDefaults are stored in your app’s directory as a plist in binary format, with no encryption. So they are easy to tampered with and therefore aren't secure.

There isn't a direct counterpart of a session in iOS unless you create it. This means that you can either store sensitive info in user defaults after encrypting them, or you can use the iOS Keychain to store them directly (which will perform the encryption for you). The usage of the Keychain on iOS is a bit complex but you can find wrappers for it.

Please see this topic for an example: iOS: How to store username/password within an app?

There's also a tutorial on raywenderlich: http://www.raywenderlich.com/92667/securing-ios-data-keychain-touch-id-1password

Community
  • 1
  • 1
Cihan Tek
  • 5,349
  • 3
  • 22
  • 29