iPhone: is it possible to alter data in an application's Documents folder?

Question

Hello, I am building an iPhone game where I store the player's game data in the Documents folder of the application. The game data is serialized to disk using encodeWithCoder. Using this approach, am I at risk of malicious players altering the game data by hand?

I know jail broken phones give you ssh access to your phone. So in theory, a player can ssh into his phone, find the game data, and edit it using vi to tweak their data?

I have a jail broken phone for testing and I'm trying it now, but each attempt at editing it seems to corrupt the file and make it impossible to be read by the game.

I'm also trying to scp the data file to my dev machine, open it up using xcode, tweaking the values, and sending it back to the app. But I'm not having any success on seeing the new values appear in the game.

So am I safe from this type of exploit?

Thanks.

Answer 1

No, on a jailbroken iPhone the user can do whatever he likes to do, even change your file. The only save place is the internet on a by you controlled server.

Answer 2

If you are really worried about it, encrypt it.

I say if since the # of people who are going to jailbreak their phone to hack your app is so miniscule it is not worth worrying about. If and when it is worth worrying about, you can change it.

This smells like a premature optimization to me.

Answer 3

Agreed, this sounds like a minor problem. Why would a user want to go through the trouble of hex editing their score on a jailbroken device? The last time I even thought of doing something similar was with Neuromancer on the Apple II+.

If you do have a case where trusted local data is required as part of some online competition, you could try storing it on the device using the Keychain API, although even that might be accessible to the local user.