iCloud Key-value Storage: avoid user to see contents

Hello all, we are working on a game for iOs using Unity.

We have been able to save our game data using the iCloud KVS, but when i used a tool to explore the iPhone content (iExplorer) i found the dictionary with all our values.

We dont want users to tamper with the savefiles so I would like to know if there's any way of avoiding this data to be found, or if its available some kind of encryption, or simply we shuld encrypt it ourselves before saving.


Thanks a lot!

pistoleta

Replies

There are two different things in security - encryption and signing. You encrypt if you don't want someone to see the data. You sign if you don't want someone to change the data. You wrote:


"We dont want users to tamper with the savefiles"


If that is correct all you need to do is sign the data. You do not need to encrypt.


To sign data:


-(NSString *)signatureForArray:(NSArray *)theArray{
    NSError *error;
    NSMutableArray *fullArray=[NSMutableArray arrayWithArray:theArray];
    [fullArray addObject:@"replace this with a secret salt string"];  
    NSData *data =[NSPropertyListSerialization dataWithPropertyList:fullArray format:NSPropertyListXMLFormat_v1_0 options:0 error:&error ];
    unsigned char result[CC_SHA1_DIGEST_LENGTH];
    CC_SHA1([data bytes], (unsigned int)[data length], result);
    NSString *fileHash = [NSString  stringWithFormat:
            @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
                result[0], result[1], result[2], result[3], result[4],
                result[5], result[6], result[7],
                result[8], result[9], result[10], result[11], result[12],
                result[13], result[14], result[15],
                result[16], result[17], result[18], result[19]
                ];
    return fileHash;
}

Then save the signature string along with the array. Anytime you wish to use the array first check to be sure the returned signature is still the correct signature. If it is, the user did not change the array.

Thanks a lot for your response, I was a little bit familiar with encrypting and signing , and of course we will use it for KVS but my question is about users being able to see and manipulate values on KVS, even if they are encripted and signed, ( i understand no matter which encryption method you use a good hacker will be able to crack it, at least thats what I've read)

So my question is more about the kvs features themselves, are they protected agains manipulation natively? Do users need to jailbreak their phones to modify these files? I really spent time looking for this information and found nothing.

Thanks a lot,

pistoleta

Most users do not have 'other-than-through-the-app' access to their KVS file. A dedicated hacker may be able to gain access - I have no idea how much dedication it would take. Apple most likely has access to the file.


Here is a simple encryption post in StackOverflow:

https://stackoverflow.com/questions/1400246/aes-encryption-for-an-nsstring-on-the-iphone


But if you use encryption you will have to deal with various government export regulations. So, unless you need to hide the data, don't.


> no matter which encryption method you use a good hacker will be able to crack it,

Perhaps. But if you use a CC_SHA1 signature it may not be possible to manipulate the data and reconstruct the signature without that secret salt string.