Security surrounding the iOS shared NSHTTPCookieStorage

Question

I'm struggling to find the exact details on this, so I'm hoping to get some help here. I'm looking for some information regarding the underlying storage mechanism of the iOS shared NSHTTPCookieStorage:

• When cookies are stored using the shared NSHTTPCookieStorage, is there any encryption provided by default, such as the use of the keychain services? Or are the cookies simply stored in plaintext using NSUserDefaults?
• I understand that the cookies are stored within an app's sandbox, so that other apps will not have access, but is my understanding correct that someone with physical access to the device can easily access an app's cookies and their values (especially if they are stored unencrypted)?

If one had to handle some sensitive data in cookies but wanted to utilise the default cookie handling/storage (shared NSHTTPCookieStorage) of the NSURLSession APIs for instance, what would then be the best option?

Sorry, I know I've asked 3 separate questions but any help on this would be greatly appreciated.

Thanks.

Answer 1

I don't know how cookies specifically are stored, but all application files are encrypted on iOS, with an AES256 key specific to the app. Those keys are derived from other keys that ultimately come from the "secure enclave" within the CPU chip, which will only release the keys when the user unlocks the device. (Apple has a pretty comprehensive security white-paper for iOS that describes this in detail.)

For this reason it's quite difficult to access files on iOS, even with physical access, unless you can get the device's passcode and unlock it. The regular cookie storage is probably secure enough for your purposes.