I use a very similar encryption method in my current app to save the users and the game save data. Since I use in-app purchases, I don't want them to go in and change all their details. Here is my process:
userInfo table-->Json Encode-->Proprietary key-based rotation algorithm-->Stored in a string
gameData table-->Json Encode-->Proprietary key-based rotation algorithm-->Stored in a string
userInfoString-->Base64 (Better for SQL to prevent errors)
userInfoString-->SHA-384 key-hashed = userInfoHash
gameDataString-->SHA-384 key-hashed = gameDataHash
I then store the base64'd data and it's corresponding hash into a SQL database. When the app loads, I compare the stored data to it's hash and if it has been changed, I reset the users data. I also hash the entire database itself to prevent an injection
attack. Each hash uses a different key that is based on the user, so it can't be shared to other users but still works when playing on your iPad or one of your other devices.
This offers way more security then just hashing or just encrypting and the result is still a small, quickly created file. The final file is still incredibly small since all of my saved data is essentialy just a big json text file. The resulting DB file was less than 100kb max size.
As a side note, all types of encryption can be reversed by someone who knows what they're doing. But what I'm doing here is making that as hard as possible while still keeping quick, efficient encryption (Not going overboard). Nobody is going to brute force
the hash, what they would do is run the app through a debugger
and see how to encryption is ran, then find the key used to encrypt it in the devices memory. If they're able to get the correct encryption process and obtain the keys then you're out of luck, but the % of people who could do that is very minimal and they wouldn't be buying from you anyway ;)
It's also a good idea to store your key in a table, then overwrite it with blank/dummy data after encryption. This is because LUA strings are immutable
and would make it a Lot easier for an attacker to find the correct memory location and obtain the key.
Hope that helps,
uid: 63320 topic_id: 17199 reply_id: 106309