Security of string resources

Question

Recently i've asked about the security implications of storing sensitive info in the xml string resources in Android: the answer? Heavy security implications, is really easy to get the contents of every xml file with a simple command line tool, so it is almost mandatory to have important info encrypted.

Now, how is it like in iOS? How secure it is to have a certain data in a plist or a .strings localizable file, in plain text, non encrypted?

Answer 1

The exact same problems, a plist is a very common file for Mac OSX and iOS and it is just a XML file. Secure your sensitive data on ALL platforms!

I would like to add that apple does provide a way to securely store sensitive information in the Keychain.

Answer 2

If your app ships with a .plist file, then the end user can unzip the .ipa app file and see the .plist file and do whatever they want with it.

Answer 3

Still not very secure.

There is nothing stopping a user from unzipping an application stored on their computer in iTunes and viewing the contents. Its very easy to do, even without a jail broken phone. Any strings resources, plist files etc will be immediately accessible.

Even hard coded string literals are visible in the compiled binary when one views it with the strings utility. And going a set further, using the nm utility one can see all your applications symbols, such as method names, constants, etc.

I would recommend against storing anything that could be considered sensitive in plain text.

Answer 4

You can access any file on a jailbroken iPhone, so you'll need to encrypt sensitive data.