避免缓存HTTP(S)请求/响应

细节

默认情况下，iOS的NSURLRequest会将请求响应缓存到Cache.db文件中。为了防止这种不安全的行为，开发人员必须明确禁用缓存。

修复

开发人员可以设置NSURLRequest的cachePolicy属性来禁用HTTP(S)请求和响应的缓存。

其中一种禁用缓存的方法如下述代码片段所示（来自NSURLConnection Delegate Returns Null Stack on Stack Overflow - http://stackoverflow.com/questions/30667340/nsurlconnection-delegate-returns-null）：

NSMutableData *_theReceivedData;

- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response {
            _theReceivedData = [NSMutableData new];
            [_theReceivedData setLength:0];
        }

        - (void)connection:(NSURLConnection *)connection didReceiveData:(NSData *)data {
            [_theReceivedData appendData:data];
        }

        - (NSCachedURLResponse *)connection:(NSURLConnection *)connection
                          willCacheResponse:(NSCachedURLResponse*)cachedResponse {
            // Return nil to indicate not necessary to store a cached response for this connection
            return nil;
        }

        // LOOK AT THIS http://stackoverflow.com/questions/1064920/iphone-corrupt-jpeg-data-for-image-received-over-http

        - (void)connectionDidFinishLoading:(NSURLConnection *)connection {
            NSLog(@"%@",_theReceivedData);

开发人员可以在Apple Developer的“了解缓存访问”中找到其他方法来禁用HTTP(S)请求和响应的缓存。

参考

• Understanding cache access - https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/URLLoadingSystem/Concepts/CachePolicies.html

• OWASP Mobile Top 10: M2 - Insecure Data Storage , M4 - Unintended Data Leakage

• CWE: CWE-312 - Cleartext Storage of Sensitive Information , CWE-313 - Cleartext Storage in a File or on Disk , CWE-522 - Insufficiently Protected Credentials