User Profile

Hi Team, The user token/passwords and details are still available in memory after submission in my IOS mobile application. This allows for an attacker with physical access to the user's system to access the memory and steal the credentials. I was able to extract the user details with fridump. https://github.com/rootbsd/fridump3 The clear text details in the memory should be reset after computing the hash on the login function. A simple recommendation there is: It's recommended to clear sensitive values and set as the null values from application memory after they are used. Also, it's recommended to not store sensitive values (such as password) as plain text values, as a mitigation hash/XOR function can be used. Technically it makes sense (at least from my experience using other languages such as C / C++ / C# / Objective-C / Java etc..). However, apparently Swift has some strange runtime mechanism of caching strings in memory. Meaning that even if you remove the content or modify a string in memory, its content will still be cached somewhere in memory, either as leftovers or copies (see images below). I’m familiar with the concept of automatic reference counting in ObjC and Swift, but for Swift specifically it seems to be more than that. In Objective-C and C in general, I never had this issue, because it’s allowed to have more control from the developer perspective, such as writing C code in Objective-C (e.g. calling memset on a heap allocated string). Reading some threads: https://developer.apple.com/forums/thread/106405 https://developer.apple.com/forums/thread/44121 https://developer.apple.com/forums/thread/4879 https://stackoverflow.com/questions/60702113/how-to-remove-the-string-from-the-memory-for-security-reasons-in-ios-is-it-even/ The last comment there by eskimo from the 2nd thread is the same thought process I had. Eventually a Text Field requesting you to enter a password will return a copy. Even if we use Unsafe Swift features, eventually a Text Field will return a copy of a string from a safe context. I was thinking even creating a custom UI control where it will override some of the text change events and store them on a static buffer where each character is XORed, meaning that even if we get the text from the custom UI control somewhere in the consumer code, it will return a copy, but an encrypted XORed string of the user’s password. So, what's your thoughst? What's the solutions ?