iOS: Is it secure to store sensible user information in [NSUserDefaults standardUserDefaults]?

Question

I understand that, besides some general settings, an iOS app can only see the contents in the [NSUserDefaults standardUserDefaults] that itself created. I guess the OS is looking at the app's identifier to ensure this, right? What I want to know is if there is any way another applications could gather information that my app stored in the user defaults.

Answer 1

Other apps would not be able to access information saved in your user defaults for your app. But this doesn't mean the information can't be obtained. You can plug your device into Xcode and run your app. Under devices, you can view your own app's information, and the information saved in user defaults will be listed there.

It generally isn't a good idea to save sensitive user data there, while not that easy to access, it is still accessible. For general non-personal data or settings, it really isn't a big issue. You can always use the built-in keychain access to store username and password information and use user defaults for anything else you might need.

In one of my apps, I salt and hash the username and password together to create a unique token. I save that in user defaults. It is worthless by itself, but that is just my way of doing things. Good luck.

Answer 2

Not on an un-jailbroken device. However, the user—or someone else with physical access to the device—can easily pull your app’s user defaults off the device; while you’re fine storing things like a username or an authentication token in your defaults, more valuable data (like passwords and financial information) should be stored in the Keychain or otherwise encrypted.

Answer 3

Generally No, no other apps are allowed to view information outside of their sandbox. However, if someone has a jailbroken device, then yes, the information stored in your NSUserDefaults are viewable, unless you encrypt your content.