Can users modify NSUserDefaults key values in an iOS app?

Question

I have a question about security.

I am making an iOS app with in app purchase following this tutorial, and I store what products were bought in NSUserDefaults. That\

Answer 1

Yes, they can. The user defaults are stored relative to your app directory here:

./MyAppName.app
./Library/Preferences/com.mycompany.MyAppName.plist

The plist file is not encrypted or signed, so it can be modified easily:

plutil -convert xml1 com.mycompany.MyAppName.plist
vim com.mycompany.MyAppName.plist

You can look into the iOS keychain, as @rckoenes said, or also something like this open source secure defaults replacement, which offers an interface similar to NSUserDefaults.

---

Update:

Since iOS 8, the data directory (and thus the preferences plist files) are now under:

/var/mobile/Containers/Data/Application/<GUID>/Library/Preferences/

Apple Reference Docs

Answer 2

Yes a user with a jailbroke device can easily modify the NSUserDefault since it's just a plist file in the library directory of your app's sandbox.

You might want to store secure stuff in the keychain, which is a little more secure then the NSUserDefault.

Answer 3

Even users without a Jailbroken device can modify plists...