Menu
Let's say I have an NSSecureTextField in my app. Is it okay for me to grab the password into an NSString variable (as I normally would) and pass it around my app's code? Is it considered secure, or do I have to somehow encrypt the string variable within the app's code?
Also (and this is an absolutely critical part of my question): Is it secure to pass an NSString password gotten from an NSSecureTextField, via an NSPipe, into the standard input of an NSTask, to supply a password to a command-line tool? My main worry is that the OS would log the password someplace, which would be terrible.
960
In general, as soon as password leaves secure storage (i.e. NSSecureTextField) and stored as plain text in memory (NSString variable) it is not longer considered secure. All the more passing plain text password to OS environment is not secure. It's relatively difficult for potential attacker to get it in the first case (from the memory of your app), and relatively easy in the second case.
157
It is safe to pass unencrypted data around your application. Other applications cannot access your address space, so as long as you take care of security vulnerabilities, no one can get it. However, you should encrypt it before passing it to another application, if possible. You can't be sure it won't be intercepted between the two.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
