敏感数据存储在cache.db-wal文件中？ [英] Sensitive Data stored in cache.db-wal file?

问题描述

我在iOS应用程序中遇到一个问题，该应用程序使用UIWebView呈现HTML5代码，该代码是应用程序包的一部分。

I am facing an issue in an iOS application that uses a UIWebView to render HTML5 code that is part of the application bundle.

此HTML5代码向我们的后端发出ajax请求，这些请求可能包含敏感数据。这一切都是通过HTTPS完成的，我们的应用程序从不存储敏感数据。但是，在对应用程序进行安全性测试时，我们发现http post请求存储在iOS 5的本地SQL Lite数据库（cache.db）中。

This HTML5 code makes ajax requests to our backend which may potentially have sensitive data in them. This is all done over HTTPS and our application never stores the sensitive data. However, when doing security testing for the application, we found that http post requests where being stored in a local SQL Lite database (cache.db) as of iOS 5.

通过将NSURLCache全局对象设置为零磁盘存储并在适当时删除该文件，可以轻松管理它。

It was easy to manage that, by setting the NSURLCache global object to have zero disk storage, and deleting the file when appropriate.

然而，现在看起来在iOS 6.1中Apple再次改变了实现，数据存储在cache.db-wal中。我对SQL Lite的了解有限，但我认为这是在使用某些选项初始化SQL Lite时创建的文件。

Now however, it looks like in iOS 6.1 Apple has changed the implementation again, and the data is being stored in cache.db-wal. I have limited knowledge of SQL Lite, but I think this is a file created when SQL Lite is initialized with certain options.

有关修复的建议吗？

推荐答案

经过进一步研究，上面的Hot Licks的建议似乎是正确的，加上no-cache，no -storeHTTP响应的值，未在SQLite数据库中记录的HTTP请求值。

After further research, it seems that the suggestion by Hot Licks above was correct, by adding the "no-cache, no-store" value to the HTTP response, the HTTP request values where not logged in the SQLite database.

例如，在ASP.Net MVC中：

For example, in ASP.Net MVC:

public ActionResult PostSensitiveData(string data)
{
     Response.Cache.SetCacheability(HttpCacheability.NoCache);
     Response.Cache.SetNoStore();

     return Json(data);
}

这篇关于敏感数据存储在cache.db-wal文件中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！