Password found in heap dump - iOS

Privacy & Security General
BalanPrabhu OP
Created Feb ’19
Replies 1
Boosts 0
Views 2.1k
Participants 2

I created a small Cordova iOS hybrid project which has login functionality in JSP page. We took memory dump for the app in a Jailbroken device and found the password is visible in it. Is there any way to remove sensitive information from UIWebView heap memory?

Replies  1
Boosts  0
Views  2.1k
Participants  2
DTS Engineer OP
Apple
Feb ’19

Is there any way to remove sensitive information from 

UIWebView
heap memory?

No. If the password is used in cooperation with Apple’s high-level frameworks (for example, you get it from a secure text field, or you use it with 

NSURLSession
), it’s infeasible to scrub it from memory. My posts on this thread discuss this in more detail.

ps If you’re concerned about security, you definitely need to move over to 

WKWebView
, as explained in WWDC 2018 Session 207 Strategies for Securing Web Content.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Password found in heap dump - iOS
First post date Last post date
 
 
Q