12
votes

I have some features which would be unlocked only after the purchase through in app purchase.

Is it fine if I store the flag value in NSUserDefaults to check whether app has been purchased or not?

Is it safe to store the flag in NSUserDefaults once purchase is done via In App Purchase?

3

3 Answers

33
votes

No, this is not safe.

The contents NSUserDefaults are stored in plain text. They can be accessed and modified with tools like iExplorer. This also works on devices that are not jailbroken.

This means that if you save the purchase information in the NSUserDefaults, users can unlock your content without doing an actual purchase.

To save the flags in a way that is not as easy to "crack", you could do one of the following:

  1. Save an additional salted hash of your stored information. Use the hash to validate that the user has not modified the information. You can find an implementation of this concept here.

  2. Save the flags in the keychain. Read more in Apple's Keychain Services Programming Guide. You can find several implementations of this concept on GitHub, e.g. Lockbox.

Update: As of iOS 8.3, the access to the app sandbox is somewhat restricted. While this adds some security, I would still not recommend using NSUserDefaults, as access to the sandbox is still possible for jailbroken devices, apps that have iTunes file sharing enabled, and of course devices running older versions of iOS.

2
votes

Yes, it's the best way. So you can tract through flag which are stored in NSUserDefault.

But, When you delete the app from device then it's value become FALSE. So it will ask for purchase again. But, it will not charge user for purchase same thing again.

Cheers.

1
votes

Yes that is the best way. At lease I stored in NSUSerDefault in my Non-Consumable In-app purchase type.. So it is working as charm for me until now.