how "accessable" are values in system.setPreferences, e.g. in rooted devices

Getting Started Newbie Questions
#1

Dear Corona community,

I use a userID variable set via system.setPreferences to download a user’s images from a cloud. On server side I have a mysql query that fetches only those images where the userID matches this userID.

Now I am wondering how easy it is to change this userID once the app is installed on a device. Idea behind this might be obvious: If a user changed this userID, he could download images from other users.

Can this be done when the device is not rooted? Can it be done if it is rooted?

Thanks for any information

#2

https://stackoverflow.com/a/9244620

#3

You have to assume that if a device is rooted or jailbroken that the user has access to everything. But most advice is to not worry about it. You will spend more effort trying to fight the few people who care and if it is something tied to income, such as in-app purchases, you’re not going to make money from cheaters anyway.

Rob

#4

All right, thank you Scott and Rob for the information and opinion.

Just had an idea: Since I also store a users facebookID on their device, I’ll ask for both the userID and facebookID when private data (such as private images) is requested. This way, even if a user roots his device and changes the userID to a random value, he still needs this random user’s facebookID. Bruteforcing the combination userID + facebookID can be prevented serverside and even if this solution can surely be bypassed in some way, it is an additional obstacle to overcome.

#5

https://stackoverflow.com/a/9244620

#6

You have to assume that if a device is rooted or jailbroken that the user has access to everything. But most advice is to not worry about it. You will spend more effort trying to fight the few people who care and if it is something tied to income, such as in-app purchases, you’re not going to make money from cheaters anyway.

Rob

#7

All right, thank you Scott and Rob for the information and opinion.

Just had an idea: Since I also store a users facebookID on their device, I’ll ask for both the userID and facebookID when private data (such as private images) is requested. This way, even if a user roots his device and changes the userID to a random value, he still needs this random user’s facebookID. Bruteforcing the combination userID + facebookID can be prevented serverside and even if this solution can surely be bypassed in some way, it is an additional obstacle to overcome.