How Hackers Exploit UserDefaults in Your iOS Mobile Apps ?

UserDefaults is a simple key-value storage system in iOS and macOS. Developers use it to save small amounts of non-sensitive data like settings, preferences, or basic state information. This data persists across app launches.

Each app's UserDefaults data is stored in a sandboxed folder as a .plist file at:

/var/mobile/Containers/Data/Application/<App-Sandbox-UUID>/Library/Preferences/<Bundle-ID>.plist

Normally, iOS sandboxing prevents other apps from accessing this data. However, on jailbroken devices, these sandbox restrictions are bypassed. This means an attacker can freely read, modify, or exploit the key-value entries stored in UserDefaults.

Important: The techniques discussed here assume a jailbroken environment. On standard, non-jailbroken devices, these actions are blocked by iOS’s security model.

Consider this Swift code from a login method that insecurely stores a JWT token:

let response = try await self._service.login(
    requestDTO: LoginRequestDTO(username: self.username, password: self.password)
)

// ⚠️ Risky: Save JWT token in UserDefaults (plaintext)
UserDefaults.standard.set(response.jwt, forKey: "jwtToken")

On a jailbroken device, an attacker with root access via SSH can navigate to the app’s sandbox directory and easily extract this token from the .plist file.

To make things simpler, I have created a script that automates connecting to a jailbroken device and dumping UserDefaults data. You can find it at my GitHub: iOS UserDefaults Dumper.

The image above shows a terminal window where the script has successfully read the UserDefaults of an app, exposing the plaintext jwtToken.

In conclusion, storing data in UserDefaults without encryption is risky. Sensitive information like session tokens can be easily accessed on jailbroken devices, leading to security breaches.

Best Practice: For any critical data, always use a more secure storage solution. Apple's Keychain is designed specifically for securely storing small, sensitive items.