DS191340.md

Do Not Store Sensitive Data in NSUserDefaults

Summary

• Code was found that stores a secret such as a password or key in NSUserDefaults.
• Consider another secret storage mechanism such as the Keychain API.

Details

The keys and values saved in NSUserDefaults are stored in an unencrypted file that can be easily viewed. Therefore, NSUserDefaults is not a secure way to store secrets. Secrets should be stored using a different mechanism such as the Keychain API.

Severity Considerations

The severity of this issue depends on the sensitivity of the secret and the impact of any attack leveraging that secret.

References

• Apple iOS API Documentation: Keychain services
• OWASP Testing Guide: iOS Data Storage