As part of a security assessment, we discovered that our app is storing sensitive information in the cache.
After some research and considering the recommendations, we decide to use .ephemeral configurations for our URLSessions, so far so good.
However, taking a look at the content in the cfurl_cache_receiver_data table, we realized that some of those responses are not part of any of our endpoints, meaning that this is probably coming from requests made for third-party libraries that we use and we were able to confirm this by using a tool to inspect network traffic.
My understanding is the cache mechanism is attached to a URLSessionConfiguration and, at the same time, this configuration is tied to a URLSession. Since this is not our code and therefore different URLSessions it makes sense that this caches the responses for any request. Please correct me if this is wrong.
I am wondering if there is a way to disable the caching across the app (including requests made for third-party libraries?) or if there is a different/better approach to this?
I am attaching a screenshot of the cfurl_cache_receiver_data table content.
For example: token=[value]. This is not the response of one of our endpoints, but an external one.
Thanks in advance!
PD: Is there a way to easily map the data in the cache.db with the particular endpoint/request?
