Swift memory security

Say I grab a password from a keychain:


var password = getPasswordFromKeychain()

// use password

password = nil // don't keep user secrets hanging around in memory


Does Swift/OSX/iOS make any guarantees about what happens to the password bytes? How about the buffer that was used to return results by the Keychain API? You get the idea.

Up vote post of chris2 Down vote post of chris2
5.8k views
Posted by
chris2
Reply
Add a Comment

Replies

How is anyone going to even gain access to the location in memory where the buffer is?

Apps are sandboxed.

Posted by
HyperNovaSoftware
Up vote reply of HyperNovaSoftware Down vote reply of HyperNovaSoftware
Add a Comment

> Does Swift/OSX/iOS make any guarantees about what happens to the

> password bytes?


No.


> How about the buffer that was used to return results by the Keychain

> API?


No.


As HyperNovaSoftware mentioned, this protection is enforced by the OS at process boundaries.


Share and Enjoy

--

Quinn "The Eskimo!"

Apple Developer Relations, Developer Technical Support, Core OS/Hardware

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I don't think sandboxing is relavent here since it's meant to limit damage that an rogue process can do, and that doesn't include preventing a process from reading its own memory. In fact, the whole point of sandboxing is to assume that apps can be compromised. Of course, a kernel exploit would make it all moot. Apple's own recommendation is to zero-out sensitive data:


Scrub (zero) user passwords from memory after validation.

2014-02-11 | Copyright © 2014 Apple Inc. All Rights Reserved. 105

Security Development Checklists

Integer and Buffer Overflows

Passwords must be kept in memory for the minimum amount of time possible and should be written over, not just released, when no longer needed. It is possible to read data out of memory even if the application no longer has pointers to it.

Posted by
chris2
Up vote reply of chris2 Down vote reply of chris2
Add a Comment

Apple's own recommendation is to zero-out sensitive data:

Indeed. My point is that:

  • Swift makes no guarantees about this, and

  • given the complexities of the Cocoa [Touch] frameworks, it's infeasible to use our high-level APIs and follow this recommendation

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

OK. Is it possible to protect user secrets stored in memory using Swift with any Apple APIs--high-level or low-level?

Posted by
chris2
Up vote reply of chris2 Down vote reply of chris2
Add a Comment

You'd have to get really low-level. The most common Swift constructs for this sort of thing (

String
, 
Array<UInt8>
) are value types but the underlying storage typically comes from a heap block that you don't have access to. OTOH, there's nothing stopping you from calling low-level memory allocators in Swift, at which point you could scrub the memory before freeing it.

The problem with doing this is that it's not practical. Let's say you need to ask the user for a password; how are you going to do that? Most folks would use a text field with the secure (

secureTextEntry
) flag set. How does that field return its value? Via an 
NSString
. Can you reliably scrub that memory? No.

The same sort of logic applies to network I/O, file I/O, the keychain, and everything else you might want to do with your security-sensitive data.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I am looking at some Swift code that is wrapping sensitive code in autoreleasepool{ } blocks. Is that going to achieve anything?

Posted by
Tim9909
Up vote reply of Tim9909 Down vote reply of Tim9909
Add a Comment