I recently discovered that HTTPCookieStorage stores my application’s secure JWT tokens as searchable text in a file located at <App Bundle Path>/Library/Cookies/<bundle id>.binarycookies
.
I had previously presumed that Apple would encrypt the tokens before storing them to disc, especially given that they are marked as secure tokens.
I’ve searched the Internet, and most responses admit that this is true, but suggest that this is not an issue because of Apple’s Data Protection technology (which uses 256-bit encryption when the device is locked). However, when the device is unlocked or jailbroken, these cookies would be readily accessible. I want to ensure that my application’s JWT tokens are encrypted even when the device is unlocked or jailbroken.
I’ve searched the documentation for HTTPCookieStorage for any settings to encrypt secure cookies before saving them to disc and found no built-in option.
2
Answers
Turns out that HTTPCookieStorage can be subclassed. I ended up implementing an in-memory solution. This could easily be modified to use Keychain. In-memory is good enough for my current solution.
Then, set up URLSessionConfiguration to use SecureCookieStorage
If you really need it to be "secure" you shouldn’t store it into the HTTPCookieStorage. Rather use the Keychain and then add the cookie whenever needed to your request. But I don’t get why it needs to be so private, that the user can’t read it. If they want they could also intercept the cookie when sent with a request.