2

I have a Login screen where a user has to enter its username and password. I always store the password in a variable and send it over to the server. Then I leave the functions context and everything is fine because I have no reference to the valuable information anymore.

But this time it needs to be really secure. When somebody asks me about security in my app and how the app would handle his password, I want to be able to say “Don’t worry. Your data is safe."

So if there would be an hacked app on the users phone which manages it to break out of its sandbox right after my user entered his password and it has been sent to the server I want to erase that part of the memory so the malicious app cannot inspect my threads and just pick the password from.

This question concerns Swift 3.x. I have thought of deinitializing a wrapper class around the credentials, but would that be enough? How does iOS handle such deinitializations?

Any suggestions on this?

Thanks.

jww
  • 97,681
  • 90
  • 411
  • 885
FlixMa
  • 944
  • 1
  • 7
  • 20
  • how about hashing the password before it sent to server and only hold it hash value, not the real value? – Komang Sidhi Artha Jun 16 '17 at 06:15
  • 1
    Unfortunately I need to bring the password over in plain text. I use HTTPS and certificate pinning to avoid MitM-Attacks. – FlixMa Jun 16 '17 at 06:18
  • I'm not really good into memory, in this matter, but should set the variable to "" is enough? – Komang Sidhi Artha Jun 16 '17 at 06:26
  • That’s exactly my question. But I need someone, who can say it with certainty and maybe also provide a reference. – FlixMa Jun 16 '17 at 06:49
  • 1
    Apple's `NSTextView` is mostly insecure for your requirements. The control provides a password mask to hide the typed characters, but they don't zeroize. You will need to roll your own control to zeroize the sensitive material. In the past (and its probably still true today), Apple used a SecureAllocator, but it did not zeroize. They just skipped that step during deallocation. – jww Jun 17 '17 at 20:06
  • why do you *need* to send the password in plain text? if you're storing passwords as hashes, as you should be, then hashing it on the client side and sending that over should be fine – knoight Jun 17 '17 at 20:20
  • @knoight the app is being written for an university and therefore the whole backend is already there. We're not allowed/able to change anything with the authentication (which fits to the proverb 'never touch a running system'). Thats why me and my team needed to build onto of that which isn't quite easy all the time and all that integration stuff which has to be done by an sysadmin unfortunately takes way to much time :( so we're trying to make the best out of our current situation. – FlixMa Jun 17 '17 at 21:53
  • @jww So to be sure that the variable gets zeroed out after usage, I will have to implement my own version of textfield, right? Otherwise I could never be sure that every reference to memory and the memory itself contains the sensible data. – FlixMa Jun 17 '17 at 22:01

0 Answers0