NSUserDefaults *paid

I have an app that I will offer 7 free uses on a certain function inside the app. Then after the seventh use, I will disable the function until a purchase is made. My question is can the user unistall the app and reinstall to use the 7 free uses again? If so, what would be the alterantive.

Thanks I am currently using NSUserDefaults.......

Accepted Reply

Yes, they can delete and reinstall. The solution is 1) use a free IAP to enable the trial period. 2) use the keychain - it survives delete and reinstall 3) use the user's iCloud key-value file.

Replies

Yes, they can delete and reinstall. The solution is 1) use a free IAP to enable the trial period. 2) use the keychain - it survives delete and reinstall 3) use the user's iCloud key-value file.

Also - NSUserDefault is easily hacked.

You have no control over the user's machine. The only way to enforce something like this is by using your own machine, that is, a server. This would probably not be allowed in the Mac App Store.

> You have no control over the user's machine.


I don't believe that the user can hack access to information contained in the keychain or the iCloud key-value file outside of the app's normal functioning. This is especially true if you add a signature field comprising the hash of the user's identifierForVendor and the contents the user is seeking and then check that hash field within the code to be sure it is correct.

I have an older app where I used the keychain. It still works! However, I can delete the keychain entries that it creates. It doesn't seem like this would work for the OP's needs.


However, this might work for my current needs. Although the keychain isn't secure in a DRM respect, it is better than user preferences. Easily my #1 support request is people who have lost their activation code for the non-Mac App Store verison. Sadly, #2 support request is people who have paid Apple for the App Store in-app purchase and Apple's servers don't respond.


Do you have any modern information for using the keychain and iCloud key-value files? I have used the keychain before, but that app wasn't successful. But having used the keychain, I realize that I'm not very confident in my usage. I don't know if I want to deploy that in my successful app or not. Just because this is my #1 support request doesn't mean it isn't manageable. I don't want to risk making it worse.

Thanks, I think I will just limit the function until purchase is made. But was wanting to "showcase all functions it could offer". I have to think though: would a person go to the trouble to delete and reinstall to save $1.99. Especially if they like the functionality? Could you please elaberate on the IAP for a certain length of time. I will look for some material on that. I would assume this would be purchased free from the app store by way of IAP and they would handle the lenght of time. Would this be hacked by changing date on device? Sorry if i am way of base on my thinking. Will look into it. But any advice would be helpful....

Found this on apple

Free Trial

The

SKProductDiscountPaymentModeFreeTrial
value represents a free trial offer type. In this introductory offer, new subscribers access content for free for a specified duration. Subscriptions begin immediately, but subscribers won’t be billed until the free trial period is over.

>would a person go to the trouble to delete and reinstall to save $1.99.


yes, they will do it for $0.99


>Found this on apple Free Trial The

SKProductDiscountPaymentModeFreeTrial


This is the free trial for an autorenewable.


There is also this from Guideline 3.1.1 for a free trial for non-consumables :

Non-subscription apps may offer a free time-based trial period before presenting a full unlock option by setting up a Non-Consumable IAP item at Price Tier 0 that follows the naming convention: “XX-day Trial.” Prior to the start of the trial, your app must clearly identify its duration, the content or services that will no longer be accessible when the trial ends, and any downstream charges the user would need to pay for full functionality. Learn more about managing content access and the duration of the trial period using Receipts and Device Check.

I have not explored the "Device Check" functionality. But you could check the purchase date in the receipt for this free IAP to avoid a user repurchasing the IAP for for free. Or use the user's key-value file to record the purchase date of this IAP.


Using the user's iCloud key-value file to record the start date of a free trial is quite easy. It is unclear to me the advantage of using the "XX-day Trial" IAP rather than doing it yourself.

>I can delete the keychain entries that it creates


Are you writing that it is possible for a user to delete an entry in their keychain for a particular app? If so, my belief that the keychain survives a delete-and-reinstall of an app is subject to hacking. Could you please confirm that it is subject to hacking? Thanks.


>Do you have any modern information for using the keychain and iCloud key-value files?


The iCloud key-value file is here:

https://developer.apple.com/library/archive/documentation/General/Conceptual/iCloudDesignGuide/Chapters/DesigningForKey-ValueDataIniCloud.html#//apple_ref/doc/uid/TP40012094-CH7-SW1


and the keychain is here:

https://developer.apple.com/documentation/security/keychain_services?language=objc

with:

https://developer.apple.com/library/archive/samplecode/GenericKeychain/Listings/LICENSE_txt.html



I decided to offer 3 free unlimited trials of the particular function in the app. I will use

NSUbiquitousKeyValueStore *cloudStore = [NSUbiquitousKeyValueStore defaultStore];

self.installed = [cloudStore objectForKey:@"installed"];

Then when paid in IAP this will be set to no instead of yes. It works in development on my device as I cannot uninstall and then reinstall to get a set of free trials. But I have noticed that on the test filght testing it will not work. But I think this is not going to act the same as when downloaded from the app store. When my tester recieved the invitation and used up all of the 3 trials and unisalled and then reinstalled from the test flight app it gave the free trials agian. Is this normal aciton for installing from test flight and not from the store. Because it worked on testing on my device in xcode in development. thanks

I apologize for suggesting that iCloud data is retained in a delete-and-reinstall of the app. I do not know if that is true. I use the iCloud key-value file to link an IAP to all devices with the same Apple ID rather than letting users restore their IAP by logging into the same App Store ID. (That prevents one user from sharing the IAP with 30 users. A user can share their App Store ID with little risk. It is much more difficult to share the Apple ID of the device.)


I do believe the keychain is retained in a delete-and-reinstall of the app.

Could you please confirm that it is subject to hacking?


Correct. It is not safe place for this kind of time-limited DRM data. You can definitely use it for DRM, but you can't use it to store something like a run-count. It is too easy to delete and then reset the count.


I also don't think iCloud is appropriate for DRM data. That would effectively let Apple's iCloud data sharing policies control your DRM. Either that, it would have strange behavior if your app tried to limit what iCloud was trying to over-write. Also, I think I tried this once before and there was a build-time conflict between the entitlement and support for old OS versions.


But I do appreciate your post. It was easy to dig up my old code and use it as a backup for DRM data. This way, even if an app zapper deletes my preferences file, I can still pull it out of the keychain. This will be good.

"It is too easy to delete and then reset the count."


Let me be specific. Have you been able to remove all keychain items for a specific app? If not, why do you believe it can be done?

I was able to find and remove the keychain item that I created. Whether some hypothetical better programmer than me could create a keychain item more secure is a moot point. I'm all I've got, unless you choose to enlighten me. I do see the ability to create an invisible keychain item, but beyond that, I'm outside my comfort zone. Attempting to write security-related code beyond one's abilities is usually a bad idea.


I also know the extent that hackers have gone to in order to crack my app. They have not been able to access server-side resources though. That is what gives me more confidence in remote, internet-based locks as opposed to local ones.

>I was able to find and remove the keychain item that I created.


Well that's unfortunate for my use of the keychain to store 'permanent' information of a user.


> They have not been able to access server-side resources though.


But you need some way of permanently identifying a particular user or device - what do you use for that? Can't a user delete and reinstall an app and then reappear on your server as a new user?