This latest .plist hysteria....

Discussion in 'iOS Programming' started by idelovski, Apr 6, 2012.

  1. idelovski, Apr 6, 2012
    Last edited: Apr 6, 2012

    idelovski macrumors regular

    Sep 11, 2008
    "Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account."

    Isn't this how prefs/config files are supposed to behave? I am doing exactly the same thing in all of my applications on Mac/Win/iOS. I put stuff into some file and if you move that file to another device my applications will use that file as if it was created on that device.

    Every time I buy new Mac I drag a lot of files/folders from ~/Library/Preferences (and few other places) folder and I have everything set up on my new computer. Favorites/Bookmarks, cookies, even logins into web forums. Everything works as if I am using my old computer.

    In short, I use Dropbox iOS framework and I am using it the way everybody else does. The framework saves everything in user defaults - DBSession.m:

        NSMutableDictionary *credentials = [NSMutableDictionary dictionaryWithDictionary:baseCredentials];
        [[NSUserDefaults standardUserDefaults] setObject:credentials forKey:kDBDropboxSavedCredentials];
    Username/mail and password are not saved, only OAuth token. What else should they do?
  2. PhoneyDeveloper macrumors 68040


    Sep 2, 2008
    The OAuth token should probably be stored in the keychain. Then it couldn't be copied like a file. This is only an issue if an unauthorized person gains access to your device. You can set the device PIN if you worry about this.
  3. chown33 macrumors 604

    Aug 9, 2009
    Sailing beyond the sunset
    If the logins to web forums are stored in the keychain, then I'm willing to bet you have the same password on both the old Mac and the new one. Otherwise the keychain file won't be directly openable on the new Mac.

    By default, the keychain password is the same as your account's login password, but that can be changed. Then the account and the keychain have different passwords, and the keychain must be opened separately.

    The keychain file is encrypted. IIRC, it uses a password to generate a key, then that key encrypts the data. If the file is copied, the original data is encrypted. So unless someone uses the same password, or can brute-force the key (or the password that generates the key), then the original data in the keychain file shouldn't be readable.

Share This Page