How to Encrypt URLCache?

Question

msmialko OP

Created Jul ’17

Replies 3

Boosts 0

Views 4.1k

Participants 3

I'd like to encrypt data stored on disk via default URLCache.

What I did is calling this method in my data tasks' completion block:

NSData *encryptedData = [data encrypted];
NSCachedURLResponse *newCachedResp = [[NSCachedURLResponse alloc]
                              initWithResponse:httpResponse
                              data:encryptedData]; 
[weakUrlCache storeCachedResponse:newCachedResp forRequest:urlRequest];

The problem I encountered though is that URLRequest (which is a key for URLCache) has Authorization header field with a token that I want to be encrypted as well. However, although the response is encrypted, URLRequest (with is headers) is not.

It makes me possible to pull Cache.db from a bundle and obtain user's token.

Is there any way better way to encrypt that data?

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’17

I'd like to encrypt data stored on disk via default URLCache.

Why? The NSURLCache database is already encrypted via iOS’s file protection system. What extra security are you hoping to add here?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

Dmiluski OP

Oct ’17

i had a similar question after a round of PEN testers evaluated our app to find Cache.db included access tokens in a request/response cache.

For the short term we have a urlcache subclass set as shared, which doesn’t cache anything with our access token while we look into it.

Is there a way to protect this, did we have something setup improperly? Or were the pen testers evaluating something incorrectly.

0

Answer 3

DTS Engineer OP

Apple

Oct ’17

I get this question a lot and I’m skeptical of the security impact here. The cache files on disk are protected by file protection, as I mentioned earlier. If an attacker has defeated file protection, you have other, bigger security problems.

Regardless, if you want to make your pen testers happy then I recommend that you avoid letting the URL caching subsystem see your access tokens at all. You don’t need to subclass

NSURLCache

to do this. Rather:

You can disable caching completely by setting the
```
URLCache
```
property of the
```
NSURLSessionConfiguration
```
to nil.
You can disabling on-disk caching by creating a new cache with
```
diskCapacity
```
set to 0
You can override
```
-URLSession:dataTask:willCacheResponse:completionHandler:
```
to return a cached response stripped of any sensitive data

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

1