NSURLCache vulnerabilities
NSURLCache occurs by default when performing NSURLRequest from the iOS application. This can lead to sensitive data being exposed.
This could lead to some of the communications being exposed which may contain sensitive information such as user-credentials, authentication tokens, or Personally Identifiable Information (PII).
Affected Files:
  • /var/mobile/Containers/Data/Application/<AppGUID>/<AppName>/Cache.db
  • /var/mobile/Containers/Data/Application/<AppGUID>/<AppName>/Cache.db-wal
  • /var/mobile/Containers/Data/Application/<AppGUID>/<AppName>/Cache.db-shm
It is recommended to disable client-side caching to prevent the automatic recording of API communications in the cache. The Secure Mobile Development guide can be reviewed for further information regarding the aforementioned caching issue.
It should be noted that the default NSURLCache does not support altering the protection level.
Consequently, this means that all requests and responses will be cached and left unprotected at rest via the NSURLCache, even when the application implmenets Data Protection at the application level.
If the URLCache is required, this can be avoided with a custom NSURLCache subclass, thus storing responses on an SQLite DB file with the NSFileProtectionComplete attribute set.
Copy link