I want to introduce a feature in my app that will be unlocked for X hours if the user look a video reward ad (using the admob free plugin).
I have the code almost done but I am not sure how will be the safest way to save this information (ie the reward info, timestamp etc).
Currently I save all the app data using Ionic Storage (import { Storage } from '@ionic/storage';) but I am not sure if this is recommended or safe for this kind of information since it could maybe be easy to change this data externally(?).
Well, that depends on your application I would say.
If you have a server which can control this, that would be one solution.
In my case, I am not using a server, so I do it locally on the device. Generally, I use a SQLite DB. Since I was not able to get SQLCipher working with it (encrypted database), I wrote some encryption layer myself, which will auto encrypt and decrypt any key and value stored/read from DB. The encryption key is generated on first launch, divided into several parts - some stored in the DB, some stored on file system, some part is static and some can be obtained from the device (I will not disclose how I do it exactly ). The parts are modified via several transformations and the complete logic is run through an obfuscator.
This is in no way a 100% secure solution, but from my point of view a sufficient solution for my use case, where no user to user game interaction will be affected (the user just can gain some single-player benefits).
The 0.00001% of people who has the time, passion and thrill to figure that out has better options to do so in a hybrid app in my opinion.
If the benefits could affect user-to-user interaction I would try to find better solutions, probably server side.
You should use an API call to get/set the User’s lock/unlocked state.
If you are concerned about tampering you could store the lock/unlocked state locally and call the API at random intervals and compare it to the stored value.
This is what I do as well locking certain features behind an in app purchase that changes a value in a SQLite database. The encryption layer is a smart move but something I wouldn’t be able to do myself and I doubt that many users are tracking and modifying database variables. I guess that if they really want to go out of their way to save $5, then it’s unlikely they would have purchased it anyways…
Thanks for your input it was very informative! I also do not use a server and my app does not have any user-to-user interaction. After reading your post I also looked into Secure Storage. Maybe I could combine it with an extra local obfuscation.