Recommended way to save unlocked features info in Ionic 3?


#1

I want to introduce a feature in my app that will be unlocked for X hours if the user look a video reward ad (using the admob free plugin).

I have the code almost done but I am not sure how will be the safest way to save this information (ie the reward info, timestamp etc).

Currently I save all the app data using Ionic Storage (import { Storage } from '@ionic/storage';) but I am not sure if this is recommended or safe for this kind of information since it could maybe be easy to change this data externally(?).

Does anybody has any recommendation?

Thanks


#2

Well, that depends on your application I would say.
If you have a server which can control this, that would be one solution.

In my case, I am not using a server, so I do it locally on the device. Generally, I use a SQLite DB. Since I was not able to get SQLCipher working with it (encrypted database), I wrote some encryption layer myself, which will auto encrypt and decrypt any key and value stored/read from DB. The encryption key is generated on first launch, divided into several parts - some stored in the DB, some stored on file system, some part is static and some can be obtained from the device (I will not disclose how I do it exactly :wink: ). The parts are modified via several transformations and the complete logic is run through an obfuscator.

This is in no way a 100% secure solution, but from my point of view a sufficient solution for my use case, where no user to user game interaction will be affected (the user just can gain some single-player benefits).
The 0.00001% of people who has the time, passion and thrill to figure that out has better options to do so in a hybrid app in my opinion.

If the benefits could affect user-to-user interaction I would try to find better solutions, probably server side.

Hope that helps a bit.


#3

Do you use an API to register/sign in users?

You should use an API call to get/set the User’s lock/unlocked state.

If you are concerned about tampering you could store the lock/unlocked state locally and call the API at random intervals and compare it to the stored value.


#4

This is what I do as well locking certain features behind an in app purchase that changes a value in a SQLite database. The encryption layer is a smart move but something I wouldn’t be able to do myself and I doubt that many users are tracking and modifying database variables. I guess that if they really want to go out of their way to save $5, then it’s unlikely they would have purchased it anyways…


#5

Thanks for your input it was very informative! I also do not use a server and my app does not have any user-to-user interaction. After reading your post I also looked into Secure Storage. Maybe I could combine it with an extra local obfuscation.

Thanks!


#6

It does not. I thought about using Google’s subscriptions options but there the shorter option is one week.

Maybe I could use Firebase with Google’s authentication? It will be safe as make a complete server side app from null.