Recommended way to save unlocked features info in Ionic 3?

I want to introduce a feature in my app that will be unlocked for X hours if the user look a video reward ad (using the admob free plugin).

I have the code almost done but I am not sure how will be the safest way to save this information (ie the reward info, timestamp etc).

Currently I save all the app data using Ionic Storage (import { Storage } from '@ionic/storage';) but I am not sure if this is recommended or safe for this kind of information since it could maybe be easy to change this data externally(?).

Does anybody has any recommendation?

Thanks

Well, that depends on your application I would say.
If you have a server which can control this, that would be one solution.

In my case, I am not using a server, so I do it locally on the device. Generally, I use a SQLite DB. Since I was not able to get SQLCipher working with it (encrypted database), I wrote some encryption layer myself, which will auto encrypt and decrypt any key and value stored/read from DB. The encryption key is generated on first launch, divided into several parts - some stored in the DB, some stored on file system, some part is static and some can be obtained from the device (I will not disclose how I do it exactly :wink: ). The parts are modified via several transformations and the complete logic is run through an obfuscator.

This is in no way a 100% secure solution, but from my point of view a sufficient solution for my use case, where no user to user game interaction will be affected (the user just can gain some single-player benefits).
The 0.00001% of people who has the time, passion and thrill to figure that out has better options to do so in a hybrid app in my opinion.

If the benefits could affect user-to-user interaction I would try to find better solutions, probably server side.

Hope that helps a bit.

1 Like

Do you use an API to register/sign in users?

You should use an API call to get/set the User’s lock/unlocked state.

If you are concerned about tampering you could store the lock/unlocked state locally and call the API at random intervals and compare it to the stored value.

This is what I do as well locking certain features behind an in app purchase that changes a value in a SQLite database. The encryption layer is a smart move but something I wouldn’t be able to do myself and I doubt that many users are tracking and modifying database variables. I guess that if they really want to go out of their way to save $5, then it’s unlikely they would have purchased it anyways…

Thanks for your input it was very informative! I also do not use a server and my app does not have any user-to-user interaction. After reading your post I also looked into Secure Storage. Maybe I could combine it with an extra local obfuscation.

Thanks!

It does not. I thought about using Google’s subscriptions options but there the shorter option is one week.

Maybe I could use Firebase with Google’s authentication? It will be safe as make a complete server side app from null.