When building iOS applications, developers always deal with sensitive data (e.g., passwords, secret keys, personally identifiable information (PII)). Thus, you need to ensure that sensitive data is only stored with appropriate protection. For instance:
.plist files, hardcoded as String in code.Instead, you must store sensitive data by using Keychain, which stores data inside the Secure Enclave. Or in advance, you can use the envelop encryption approach and store the "root key" in Keychain.
When working with Keychain, you should use
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnlywithSecAccessControlCreateWithFlagsso that the data in the Keychain can only be accessed when the device is unlocked
Developers always use logs to debug or track the data flows. Consequently, sensitive data could be shown in the log files. You should check predefined and built-in log functions (e.g., NSLog, assert, print) or custom functions (e.g., Logging, Logger, Logfile) and remove it from the codebase.
If you still want to use log, consider allowing it for DEBUG or development modes only.
#if DEBUG NSLog(...)#endifRecently, I integrates Firebase, Braze, and Appsflyer into mobile applications. These tools provide tracking services to monitor users’ behaviors, showing banner advertisements, etc. You should determine whether sensitive data is shared with third parties or not. So I recommend: