Is Playerprefs secure?

I want to store some sensitive data using playerprefs which is not supposed to be edited by player.

I have a feeling they just stores in plain text somewhere.

Is Playerprefs secure on iPhone?
Is Playerprefs secure on jailbreaked iPhone?

If not secure, what is the way of doing it?

I have been thinking, it should be secure on iPhone that is not jailbreaked cos player can’t access to file system. On a jailbraked iPhone, it is not secured.

Heres a solution that hasnt been put here, I wasnt going to post because old thread is old…
BUT people are still active on it, so here goes.

Just because playerprefs is insecure, doesnt mean you cant securely use it as it.

Remember unity is a C# machine, so go on the web and find C# code to encrypt data strings
to text string
turning say


into hJsl3zzS$nfhhass

then you can use playerprefs to store that!

encrypted information in a text file is just as secure as text in an encrypted file.
and you can hide any keys etc into the code of the program/game your making.
in fact with a bit of enginuity the first half of a key can be the IOS or android user account name, making it that much harder to figure out.

Further more, you could, if you so wish, use C# to then open the text file
and you can ZIP it up, with a password, thats also hidden in your account.
theres C# code for this freely available too.
just remember zipping and unzipping a compressed keyed file every time you access something
in it adds overhead to older devices you may not wish.

all of this is no harder then making a wrapper of your own to the playerprefs wrapper in unity.

PlayerPrefs is a wrapper for NSUserDefaults, so it’s no more secure than that.

All you can do is obscure the data and minimise the impact of someone breaking it. For example, don’t store a user’s password to your service, just store the MD5 of it (with salt), both on the device and on your service. That way, if their password is “I-use-this-password-everywhere”, then someone who hacks the device (or your hosting service) only gets access to your service, not the user’s other sites where they foolishly use the same password.

If it’s something like how many credits they’ve got, make sure that if they fake it, all they can get from you is 1000 in-game hats and a bad conscience, not 1000 real-world hats. (storing it on the server doesn’t make it unhackable, since they can fake the traffic from your app).

I want to store some sensitive data using playerprefs which is not supposed to be edited by player.

It’s (to my knowledge) impossible to make it 100% uneditable if the process of encryption happens on the device. What you can do to make it harder is to use a public decryption key (encrypting it with a private key you immediately throw away) that you store along side the data. The down side is that if the code that is encrypting is available on the device, it can be reverse engineered to make an encryption. At least it becomes a lot harder to crack open. This would prevent people from simply editing a file since the data has to be encrypted first. If they don’t know how to encrypt the data properly they can’t modify the contents.

A work around to this would be having an encryption server online, where your application send a request to encrypt a piece of information. It would generate the encrypted information and a decryption key that is sent back to the application. This way you need your server to deduce what are valid values and what are not. Obviously this has its disadvantages as well. The question is HOW sensitive your data is and what measures you’re willing to put into protecting it.