安全地将NSString中的内存清零 [英] Securely zero out memory in NSString

问题描述

在iOS上，我想知道我是否读过用户提供的密码值:

On iOS, I was wondering, say if I read user provided password value as such:

NSString* strPwd = UITextField.text;

//Check 'strPwd'
...

//How to clear out 'strPwd' from RAM?

我只是不喜欢将敏感数据悬挂"在RAM中.知道如何将其归零吗?

I just don't like leaving sensitive data "dangling" in the RAM. Any idea how to zero it out?

推荐答案

基本上，您实际上做不到.苹果公司已针对此确切问题提交了错误报告.另外，UITextField和NSString至少存在问题.

Basically you really can't. There are bugs filed with Apple over this exact issue. Additionally there are problems with UITextField and NSString at a minimum.

要在@Leo Natan现在删除的答案中重申评论:

To reiterate the comment in a now deleted answer by @Leo Natan:

释放封闭的NSString对象不能保证该字符串 字节在内存中为零.此外，如果设备已越狱，则所有 苹果承诺的沙盒化将毫无用处.但是，在这种情况下， 几乎没有人可以做，因为可以交换整个 运行时在应用程序运行的中间，这使得 内存中的密码.

Releasing the enclosing NSString object does not guarantee the string bytes are zeroes in memory. Also, if a device is jailbroken, all the sandboxing Apple promises will be of no use. However, in this case, there is little one can do, as it is possible to swap the entire runtime in the middle of the application running, this getting the password from the memory.

请向苹果提出另一个错误请求，这个错误越多越好.

Please file another bug with apple requesting this, the more the better.

Apple Bug Reporter

这篇关于安全地将NSString中的内存清零的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！