0

I'm thinking about improving data protection in my iOS app and first of all I want to determine steps that I need to do first.

Our app doesn't have any explicit protection for locally stored data - we use NSUserDefaults for simple configs & settings and codable objects for user data stored in files in documents directory.

User data is coming from API over HTTPs and we just cache it in way described above. I thought that the first thing that I need to improve will be implementing best practices for keeping my local storage secure, however I started to doubt about it.

Please advise - are my thoughts сorrect?

  1. Since all locally stored data is a reflection of API responses - is it worth to worry about local data protection when any user can just install Charles and sniff data without trying to hack local storage?
  2. Are there any pros to have local storage protected but still vulnerable to man-in-the-middle attack if local data == API data?

Thanks in advance for help!

anversa93
  • 11
  • 3
  • The long and short of this answer is it depends on your situation. In most cases public api responses are public, so I would think it superfluous, but if you are accessing the API with a token and key, then your responses could be private and specific to your individual token/key combo. Your question is just too broad. – Liftoff Oct 10 '19 at 20:27
  • Hi David, my API is private and protected with JWT token. But still - in case if bad guy steals user's iPhone, there is no problem to open my app, install Charles root cert and sniff all traffic to get valuable info (JWT won't help), instead of hacking app local storage. To re-phrase my question - is man-in-the-middle protection a first thing to do comparing to all other security improvements in my case? – anversa93 Oct 10 '19 at 20:37
  • By default, data stored on the device is protected by the on-device encryption when it is locked. So unless the attacker has the device passcode they cannot access the data at rest. – Paulw11 Oct 11 '19 at 00:05
  • So you mean to say that a user will not password protect his iPhone .. in such a case there is not much that can be done if the device is lost. – Soumen Mukherjee Oct 11 '19 at 14:36

0 Answers0