Correct and secure manner of storing in-app-purchases

What is the best way to store an in-app-purchase on a device开发者_Python百科, so that the purchases can also be accessed offline but the security of the purchases are not compromised?

Do not store anything valuable on the device as it cannot be trusted and it can easily be compromised by someone motivated.

Now, all of this depends on the type and value of the item that is being purchased and what happens if its compromised.

If its truly valuable then use a remote secure server for managing secure items. In app purchases include a receipt that can be verified by your remote secure server talking to apple's servers directly through a secure connection. See this link to verifying store receipts.

As far as I know, the most convenient way to securely store a purchased asset would be to use some form of encryption.

The user should be able to download an encrypted asset, and the app should decrypt it on the fly.

However, make sure that you store the key in a secure fashion as well, as string keys (within the app binary) can easily be recovered by a skilled hacker. A good way to secure the key would be to use some sort of authentication with a server-based system. The app would get the key off the server and keep it only for the few moments required to decrypt the asset.

This defense mechanism is not impregnable; I feel that it is sophicaticated enough to discourage most users from attempting to undermine it.

To decrypt your assets on the device, a good idea would be to use CommonCrypto. It's provided by Apple (with the iOS SDK), so you don't have to build it from scratch and you don't have to provide documentation (required by US law) for your app. I find Jim Dovey's Common Crypto wrapper the easiest way to use it.

Hope that helps. :)

You'll want to encrypt the file, for which your best bet is probably Common Crypto. In order to be able to access the data offline, you need to store the encryption key on the device.

The solution is to use the keychain: Use SecRandomCopyBytes to generate a key of sufficient length, and store it in the keychain using SecItemAdd. Then use that key to encrypt the data and write it to the device's local storage in the normal manner. When it comes time to read the file back from disk, use SecItemCopyMatching to load the key from the keychain and use it to decrypt the data.