hi - I was thinking of trying to create a simple password manager app for my own use. The app would simply store a list of login credentials in a file, presumably in the documents directory in json format or something like that. Then I’d build the app for both mac os and iOs and run it on my devices. I’m not sure how secure any of this would be, though. The app itself would demand a password on startup, but would it be possible for someone to read the json file from outside the app on OS X or iOS? Thanks.
1 Like
If you don’t encrypt them anybody can read them.
2 Likes
Even with encryption, nothing that is stored locally is really safe.
Encrypting said data makes it harder for someone to read them, but you still need to store the encryption key (and IV) somewhere in the code and/or with the locally saved data. Your encryption methods will also be readable from your code.
Basically, each step will make it more difficult for a potential attacker to read your data, but whenever the attacker has physical access to the device where the data is stored and processed, then it’s just a question of whether the attacker is skilled enough.
2 Likes
I can see that the app’s data files could be accessible on a laptop or desktop, but is it that easy to read an app’s data files in iOS from outside the app?
It just requires a few extra steps, nothing more.
1 Like
Yes. On a Solar2d app they are just in a folder. Very easy to get to.
1 Like
@d2gp think you can use one master password. Learn it and use it to decrypt the remaining passwords without saving it anywhere.
And I would use some kind of variable, like today’s number.
For example pass is “DOHIpNsq”. And today 15.05 you nedd write “1DOHI50pNsq5” .The function selects digits (1505) compares with os.date () and if there is a match then the key (already without numbers) is transferred to the files. Or any other little thing, like a hidden button or when you entered the correct code, the wrong answer is given, but if you click on the text 10 times, the correct one is issued.
1 Like
@lxl and @d2gp if you wish to store any information in the sandbox, then you can be certain that said data won’t be safe. The simple fact of the matter is that all security measures fail if the user is given physical access to the device where all of the data is stored.
My company uses AES256 to encrypt local save data and we use SHA256 to create hashes to check the save data against manipulations, but we do so knowing that ultimately the data isn’t secure. These measures will block 99% of attackers, i.e. script kiddies and such, but they won’t protect against competent “hackers”.
You should also not try to invent your own “secret cryptographic measures” as they are safe only until the point when someone gains access to your code, at which point they will be broken. Using a master password to encrypt files would work, sure, but then you’ll run into the problem that if the user forgets their password, then they can never recover their data.
The most secure way to protect your app’s data is to have it on a secure server.
Edit: Essentially, just know why you want to protect your data. Is it to keep players from adding currency or points to their profile? Then encryption is already enough to prevent most who’d want to cheat and those who can get past said measures are likely people who’d never spend money on your app any way. Then again, if you are thinking of commercial “password manager” type apps, then don’t.
1 Like